Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

embed usage

edited September 2010 in Vanilla 2.0 - 2.8
I had a user use the embed tag for a vimeo video, and it did bad things. Basically it redirected you to the vimeo video page. This is a security issue in allowing someone to redirect your visitors to any page they want.


  • if it automatically redirected the user without having to click a link, yeah, that's bad. can you PM me the exact embed tag that caused the behavior so I can try to find a fix?
  • ithcyithcy New
    edited September 2010
    this is a side effect of allowing unrestricted embed tags in comments.

    your user's embed tag pointed to a vimeo page, not the actual video player object. so he was in effect embedding a whole web page. that page contains so-called "framebuster" javascript which tries to break out of any unsanctioned embeds or iframes, for whatever reason.

    the HtmLawed plugin (which formats your forum comments by default) will automatically do proper embedding of vimeo URLs. all the commenter has to do is paste the link to the vimeo page. same with youtube and possibly more.

    what i recommend is to disallow embeds in your forum, by going into plugins/HtmLawed/class.htmlawed.plugin.php and looking around line 41 for this line: 'elements' => '*-applet-form-input-textarea-iframe-script-style', replace it with this: 'elements' => '*-applet-form-input-textarea-iframe-script-style-object-embed', and instruct your users to just paste the URLs to the pages, not the full embed code.
Sign In or Register to comment.