I wanna allow users to embed videos freely in the application in developing, but do not want to expose then and the application to malicious uses.
我想允许用户在开发中的应用程序中*嵌入视频,但不希望将应用程序暴露给恶意用途。
With that in mind, what are the main security concerns (XSS, etc) in allowing users to embed videos from external sources, like YouTube, Vimeo, etc. In which way this exploits could be used? What kind of sanitization you guys recommend to apply, before accepting/displaying an embed video?
考虑到这一点,允许用户嵌入来自外部来源的视频(如YouTube,Vimeo等)的主要安全问题(XSS等)是什么?可以使用这种漏洞利用的方式?在接受/显示嵌入视频之前,您建议应用什么样的消毒?
1 个解决方案
#1
Well once you allow a flash app to be on your site, it could do any number of things on the client that you wont have control over, especially since you can execute JavaScript with flash (with limitations). Best is to use a whitelist, and only allow users to embed videos from places you trust.
一旦你允许一个Flash应用程序在你的网站上,它可以在你无法控制的客户端上做任何数量的事情,特别是因为你可以用flash执行JavaScript(有限制)。最好是使用白名单,只允许用户嵌入您信任的地方的视频。
#1
Well once you allow a flash app to be on your site, it could do any number of things on the client that you wont have control over, especially since you can execute JavaScript with flash (with limitations). Best is to use a whitelist, and only allow users to embed videos from places you trust.
一旦你允许一个Flash应用程序在你的网站上,它可以在你无法控制的客户端上做任何数量的事情,特别是因为你可以用flash执行JavaScript(有限制)。最好是使用白名单,只允许用户嵌入您信任的地方的视频。