It's contributing alot to a blog or a site when one allows embedding youTube videos to the posts or comments,
the real down-side is that by doing so you have to take into considiration the breach of cross side scripts that the object tag allows.
so for that matter I wrote a Regular expression that validate the input and retrive the URL from within the embed tag, then I placed it on a template tag that I know is safe,
By doing so you can even control the panel color and size that best suit you site.
here is how it works:
private string SanitizeYouTubeObject(string input)
{
//You Tube object Regular Expression
Regex youTubeObjExp =
new Regex(
@"(<embed\ssrc=""http://www.youtube.com(?<Url>[\w\d\s\p{L}\p{S}:#@%/~_?\+-=\\\.&’]+(?=""))([\w\d\s\p{L}\p{S}:""#@%/~_?\+-=\\\.&’]+)(></embed>))",
RegexOptions.IgnoreCase);
if (youTubeObjExp.IsMatch(input))
{
Match match = youTubeObjExp.Match(input);
string videoObject = string.Format(
@"<object width=""480"" height=""385""><param name=""movie"" value=""{0}""></param><param name=""allowFullScreen"" value=""true""></param><param name=""allowscriptaccess"" value=""always""></param><embed src=""{0}"" type=""application/x-shockwave-flash"" allowscriptaccess=""always"" allowfullscreen=""true"" width=""480"" height=""385""></embed></object>", "http://www.youtube.com" + match.Groups["Url"].Value);
//Return the sanitized Tag
return videoObject;
}
//In case it wasn't a legit Object Tag
return null;
}
its a simple example only to pass the idea.
A real generic solution will take a dictionary of known embed regexs (youTube, MySpace, etc...) and sanitize any given input accordinly, that way you allow a closed list of well know sites and the DB doesn't have to store the entire tag, the URL will be enough.
Subscribe