anonīms Posted October 5, 2011 Report Share Posted October 5, 2011 Sveiki. Ir doma izveidot video sadaļu ar youtube embed, tikai liels jautājums ir drošība. Kā atļaut, ka visi html tagi tiek apbriezti izņemot embed un arī iekšs embed nevar vēl kkādu xss fīču iemaukt. teiksim javascript onclick vai ko tādu? Quote Link to comment Share on other sites More sharing options...
marrtins Posted October 5, 2011 Report Share Posted October 5, 2011 Neļauj embedod. Atļauj tikai linku, un embedo pats. Ja tomēr baisi gribās embed, tad izparsē ar DOM un apsakties, ko tur hakerītis savadījis. Quote Link to comment Share on other sites More sharing options...
codez Posted October 5, 2011 Report Share Posted October 5, 2011 (edited) http://htmlpurifier.org/ ar to tiek galā ļoti labi. Ā un vispār jaunākais standars skaitās embedod izmantojot ifreimus, arī youtubei. Tam es izmantoju paštaisītu klasi priekš htmlpurifier-a: class HTMLPurifier_AttrDef_URI_AllowedHosts extends HTMLPurifier_AttrDef_URI { protected $allowd_hosts; public function __construct($embeds_resource = false,$allowed_hosts=array()){ $this->allowed_hosts=$allowed_hosts; parent::__construct($embeds_resource); } public function validate($uri, $config, $context){ $p=parse_url($uri); if (!in_array($p['host'],$this->allowed_hosts)) {return false;} return parent::validate($uri, $config, $context); } } Kura atļauj tikai noteiktus domeinus. Tālāk izmanto šādi: $def = $config->getHTMLDefinition(true); $iframe = $def->addElement('iframe','Inline','Flow','Common', array( 'src*'=>new HTMLPurifier_AttrDef_URI_AllowedHosts(false,array('www.youtube.com','youtube.com','maps.google.com')), 'width'=>'Pixels#800', 'height'=>'Pixels#600', 'frameborder'=>'Number', 'name'=>'ID', 'title'=>'CDATA' ) ); Edited October 5, 2011 by codez Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.