Naked works well, but I use the example plugin which places a snippet of the discussion into the discussion list. This only shows the URL on the discussion list but the video works in the actual discussion. If I use iframe (and remove the strip tags feature of the plugin) then the video shows up on the discussion lists, but not in the discussion. If I use both, it still shows up on the discussion list, but neither work in the actual discussion.
Looks like iframe youtube embed is being stripped, so that's good. And any url's that don't contain anything other than youtube.com and not you.tube or any other minimized url's from youtube are not recognized.
However, the video above is the old way of embedding youtube videos using the < object >< embed > </ embed > </ object >tags which is a little unsettling as people can probably highjack the page or insert bad JavaScript.
I'm not quite sure what you mean. I was just stating that users are able to embed a swf file, or even other files using the <object> tag... (I think)
As far as the code I used to embed that youtube video above, I didn't type the url alone by itself. I actually used the object embed code (provided by youtube) to embed the video in the comment.
Like so: <object width="640" height="360"><param name="movie" value="http://www.youtube.com/v/M7SiMXmVtEw?version=3&hl=en_US"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/M7SiMXmVtEw?version=3&hl=en_US" type="application/x-shockwave-flash" width="640" height="360" allowscriptaccess="always" allowfullscreen="true"></embed></object>
I'm merely stating that users are able to inject some bad "stuff" into comments if they really wanted to.
I understand you can just post the url to embed a youtube video.
I guess what I'm trying to find out is if there is a workaround for people to not be able to embed a swf file or anything using the <object> tag as it can cause some serious trouble if people were to inject bad code into their comment.
Hmmm... actually I just looked at the Gdn_Format class (located in vanilla\library\core\class.format.php) around line 836 and found out that vanilla already adds the <object> and <embed> tags when you post the url for youtube videos anyways.
So even if I do a preg_replace() for <object> tags, it'll get rid of the functionality to be able to post youtube urls. Plus I definitely don't want to muck around with vanilla core.
Answers
i just get the url link, not an embedded video.
i'll persevere
woah that worked!!
just a random video, don't judge me.
Didn't work.
http://www.youtube.com/verify_age?next_url=http://www.youtube.com/watch?v=60xHc6JYUkM
did work
http://www.youtube.com/watch?v=FavUpD_IjVY
thank you. most vids work that way. Naked is best!!
Naked works well, but I use the example plugin which places a snippet of the discussion into the discussion list. This only shows the URL on the discussion list but the video works in the actual discussion. If I use iframe (and remove the strip tags feature of the plugin) then the video shows up on the discussion lists, but not in the discussion. If I use both, it still shows up on the discussion list, but neither work in the actual discussion.
problem with CK Editor plug-in? The Rich Text editor doesn't display the link as embedded video? What should I do?
It has to be in pure HTML with no extra tag
Looks like iframe youtube embed is being stripped, so that's good. And any url's that don't contain anything other than youtube.com and not you.tube or any other minimized url's from youtube are not recognized.
However, the video above is the old way of embedding youtube videos using the < object >< embed > </ embed > </ object >tags which is a little unsettling as people can probably highjack the page or insert bad JavaScript.
Any devs notice this yet? @Todd @Mark @Tim
Use buttonbar
There was an error rendering this rich post.
I'm not quite sure what you mean. I was just stating that users are able to embed a swf file, or even other files using the
<object>tag... (I think)As far as the code I used to embed that youtube video above, I didn't type the url alone by itself. I actually used the object embed code (provided by youtube) to embed the video in the comment.
Like so:
<object width="640" height="360"><param name="movie" value="http://www.youtube.com/v/M7SiMXmVtEw?version=3&hl=en_US"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/M7SiMXmVtEw?version=3&hl=en_US" type="application/x-shockwave-flash" width="640" height="360" allowscriptaccess="always" allowfullscreen="true"></embed></object>I'm merely stating that users are able to inject some bad "stuff" into comments if they really wanted to.
Why, when you can just post the url.
What are you trying to achieve?
There was an error rendering this rich post.
I understand you can just post the url to embed a youtube video.
I guess what I'm trying to find out is if there is a workaround for people to not be able to embed a swf file or anything using the
<object>tag as it can cause some serious trouble if people were to inject bad code into their comment.Ahh ok, yes you can setup stripping. Perhaps @x00 can assist.
There was an error rendering this rich post.
Hmmm... actually I just looked at the Gdn_Format class (located in vanilla\library\core\class.format.php) around line 836 and found out that vanilla already adds the
<object>and<embed>tags when you post the url for youtube videos anyways.So even if I do a preg_replace() for
<object>tags, it'll get rid of the functionality to be able to post youtube urls. Plus I definitely don't want to muck around with vanilla core.Oh well... Thanks anyways.