Firefox PHP

Security Implications of Embedded Objects in Posts?

Posted by farang 
Security Implications of Embedded Objects in Posts?
June 01, 2007 07:29PM
Greetings!

As video from sources like YouTube are now exploding on the Web, users will increasingly want to embed video clips in their posts, using the "object" tag, like so:

object width="425" height="350"><param name="movie" value="[www.youtube.com] name="wmode" value="transparent"></param><embed src="[www.youtube.com]; type="application/x-shockwave-flash" wmode="transparent" width="425" height="350"></embed></object

Is there a security implication of users being able to embed objects like this (maybe objects other than video)? And if there are implications, how might one avoid them, short of blocking HTML altogether?

Thanks!



Edited 1 time(s). Last edit at 06/01/2007 07:29PM by farang.
Re: Security Implications of Embedded Objects in Posts?
June 01, 2007 07:47PM
I don't see any obvious security implication, but user provided HTML should be blocked at all times. If you want this, then the best way is to write a little mod that safely translates something like [video]http://www.youtube.com/v/WofFb_eOxxA[/video] into an embedded video object.


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: Security Implications of Embedded Objects in Posts?
June 01, 2007 08:05PM
Hmmm...thanks for that, but I'm not up to speed on writing mods...yet.

I want users to be able to post photos using HTML, but "objects" sounds a bit scary. The first thing I think of is some malicious ActiveX control getting posted and blowing up the board. But video itself is safe, I suppose, as long as I can limit it to that (which your mod suggestion indicates). I wish there was a workaround that didn't require me to write a mod, which with my luck would blow up the board.
Re: Security Implications of Embedded Objects in Posts?
June 01, 2007 08:18PM
The only safe way is if you generate the HTML code. Just take the bbcode mod and extend or copy-and-redo that one. It should give you ideas on how to do a mod that translates tags into HTML safely. Allowing <code> safely would require a mod too, so why not start with the safest option? ;-)


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Sorry, only registered users may post in this forum.

Click here to login