First, thanks for this module, with this, finally I can make my goals:
Users can embed video with wysiwyg editor, and i can use wysiwyg_filter module.

With that I can create a real secure filtering system. With wysiwyg_filter I could drop html filter, so iframe, object, etc i didn't enable.

Well, it would be nice, on settings page with a checkbox admins could filter only the allowed providers. Sorry, I have no time to make it all, I only have this dirty patch, i don't want attach it, it's real temporary:


diff --git mytube.module mytube.module
index 2b7138b..b2739da 100644
--- mytube.module
+++ mytube.module
@@ -27,7 +27,7 @@ function mytube_perm() {
 /**
  * Implementation of hook_init().
  */
-function mytube_init() { 
+function mytube_init() {
   // Add global JavaScript and CSS files.
   $MODULEDIR = drupal_get_path("module", "mytube");
   drupal_add_css("$MODULEDIR/mytube.css", "module");
@@ -214,7 +214,8 @@ function mytube_filter($op, $delta = 0, $format = -1, $text = "") {
           $code = str_replace('&', "%26", $code);
           $js .= "mytubes[$index] = '$code';\n";
         }
-        $text .= "<script type=\"text/javascript\">$js</script>";
+        //$text .= "<script type=\"text/javascript\">$js</script>";
+        drupal_add_js($js, 'inline');
       }
       return $text;
     default:
@@ -285,6 +286,7 @@ function _mytube_find_all_instances($needle, $hay) {
  *  @param i Index of tag to filter
  */
 function _mytube_process_instance(&$text, $tag, $i) {
+  $allowed = array('youtube.com', 'vimeo.com');
   // find tag closure
   $closure_index = stripos($text, "</$tag", $i);
   // get the actual tail-end of the embed code (since the index is the start of the closure tag, not the end of it)
@@ -293,7 +295,20 @@ function _mytube_process_instance(&$text, $tag, $i) {
   $embedded = substr($text, $i, ($closure - $i));
   $embedded = str_replace("\n", " ", $embedded); // Deals with newlines
   // determine what code if any should this embed be replaced with
-  $newcode = _mytube_replaceembed($embedded, $tag);
+
+  if (isset($_SERVER['HTTPS']))
+    $PROTOCOL = 'https://';
+  else
+    $PROTOCOL = 'http://';
+
+  $embed_url = _mytube_embed_url($embedded, $tag);
+  $embed_url = preg_replace("[^//]", $PROTOCOL, $embed_url);
+  $embed_urlinfo = parse_url($embed_url);
+  $embed_domain = _mytube_toplevel($embed_urlinfo['host']);
+  kpr(get_defined_vars());
+  if (in_array($embed_domain, $allowed)) {
+    $newcode = _mytube_replaceembed($embedded, $tag);
+  }
   if ($newcode) {
     // excise the embed
     _mytube_str_excise($text, $i, $closure);

Using this patch with wysiwyg filter, I can make, the youtube's and vimeo's embed code works, beyond all are filtered.

Only needs this wysiwyg filter settings - HTML elements and attributes: div[id|style|class], enable in style properties top and left, and advenced rules class names and ids: mytube*

Comments

l@va’s picture

l@va CreditAttribution: l@va commented

I might not be understanding what you're asking, but it sounds like you're asking for MyTube to remove any embed code that is not from a list of providers.

If this is what you want, then it would create a false sense of security. MyTube is designed to filter anything it receives, under the assumption that the code is safe. Although MyTube makes a best-effort attempt to filter unrecognized code, it might still be theoretically possible to circumvent it with some obscure or malformed embeds; a couple such cases have been found in the past. In my opinion, that would be considered a bug if you found such a case, but because of how many different types of embed code are out there it's almost inevitable that a malicious attacker will figure out some way to break the filter if they're trying to break your site. Generally, users submitting embed code are either trusted not to try and submit malicious code (e.g. a tightly managed environment where all the submitters using this input format are full-time staff) or another filter is generating the embed code and <embed>/<iframe> tags are stripped from the filter before the it's generated and users aren't actually submitting embed code. If I understand the wysiwyg filter correctly, you can't explicitly whitelist embeds (or a handful of other things) from it for this reason, and if you're trying to filter the SRC attribute to a list of formats then you're likely to run into problems. If you're trying to replace the functionality provided by HTML Filter with MyTube, then you might be opening yourself up to security problems and unless you know everyone on the site (which might be the case) I recommend you rethink your approach.

An example safe configuration of what you're trying to do would be creating an emfield filter, arranging it right before MyTube, and enabling the YouTube and Vimeo extensions. With this configuration, the user submits a URL (http://youtube.com/watch?v=SOME_VIDEO_ID or http://vimeo.com/SOME_INTEGER), the emfield module converts the URL into an embed code, and MyTube processes that. If the user submits embed code themself, then it will get stripped out by HTML filter before reaching MyTube. This method is safe for anonymous users, while trusted users (like the staff at eff.org) would ideally copy an "embed this" code from an arbitrary video sharing site I might never have heard of and it would still get swapped out for a clickable thumbnail. I recommend you keep the HTML Filter enabled unless you know and trust your users. Think of MyTube as an enhancement to your content, instead of a security filter; it enhances embed codes by preventing Flash cookies from automatically getting placed, but if the submitter is posting malicious code then it could 

-        $text .= "<script type=\"text/javascript\">$js</script>";
+        //$text .= "<script type=\"text/javascript\">$js</script>";
+        drupal_add_js($js, 'inline');

This approach has been tried before in an earlier version before submitting MyTube for approval, but inline javascript through drupal_add_js conflicts with Drupal's caching if done from an input filter. Basically, the filter is only invoked once, then instead of processing every single piece of user-submitted code through every single input filter for every single page a user accesses, Drupal saves the processed code to a so-called cache to save time and not slow down your site, and it displays the cached version instead of running the filter multiple times. Since the code is only executed once, the script would not get added to the head after the first time an embed is viewed, and the mytubes javascript variable wouldn't be defined so you'd have a thumbnail which doesn't do anything when clicked. If I append the script right after the thumbnail, however, the script that defines mytubes is added to that cached version of the code, and the thumbnail still works without mytube_filter being called each time a user loads it (if I disabled caching it would greatly slow the site down). The other scripts and stylesheets are constant, so they can be included on every page regardless of whether or not MyTube is used.

szantog’s picture

szantog CreditAttribution: szantog commented
Status: Active » Closed (works as designed)

Well, thanks! I'm using emfield over years, but never found own filter - my fail. :) Great, with emfield filter everything are fine!