Icy Phoenix :: View topic - BBCODE - Improved Youtube Insertion

Hi all!

this is not a support topic, but I can't create topics in other places, so I let this here.
I have improved the insertion of youtube videos with BBcode. As you should know, the actual BBcode, requires users to clear the url to get the video ID and write it here. A lot of users don't know what is a video id, so I made the BBcode translator be the one to take the vid Id and use the new Youtube insertion with <iframe> html tag.

As some users are used to insert videos with only the Id, the BBcode still works if they insert only the Id, they insert an Url with more vars, or even if they insert the short Url version.

Let's see how:
OPEN ip_root/includes/bbcode.php
FIND

Code: [Hide] [Select]

else if ($tag === 'youtube')

                                {

                                        $color_append = '';

                                        if ($color_1 || $color_2)

                                        {

                                                $color_append .= ($color_1 ? ('&color1=0x' . str_replace('#', '', $color_1)) : '');

                                                $color_append .= ($color_2 ? ('&color2=0x' . str_replace('#', '', $color_2)) : '');

                                        }

                                        $width = in_array($width, $width_array) ? $width : 640;

                                        $height = in_array($height, $height_array) ? $height : 385;

                                        $html = '<object width="' . $width . '" height="' . $height . '"><param name="movie" value="http://www.youtube.com/v/' . $content . $color_append . '" /><embed src="http://www.youtube.com/v/' . $content . $color_append . '" type="application/x-shockwave-flash" width="' . $width . '" height="' . $height . '"></embed></object><br /><a href="http://youtube.com/watch?v=' . $content . $color_append . '" target="_blank">Link</a><br />';

                                }

REPLACE WITH

Code: [Hide] [Select]

else if ($tag === 'youtube')

                                {

//check URL type

					$vid = '';

					if (strpos($content,'youtu.be')!==FALSE){ // short URL

						$parsedUrl = parse_url($content);	//parse the URL to split it in parts

						$vid = str_replace('/','',$parsedUrl['path']); //get the path and delete the initial / simbol

					} else if (strrpos($content,'youtube')!==FALSE) { // long URL

						$parsedUrl = parse_url($content); // parse the URL to split it in parts

						parse_str($parsedUrl['query']); // get the query part (vars) and parse them into name and value

						$vid = $v; //send the value to the destination var.

					} else // in this case, the user entered only the vid

						$vid = $content;						

					$width = in_array($width, $width_array) ? $width : 640;

					$height = in_array($height, $height_array) ? $height : 385;

					$html = "<iframe width=\"$width\" height=\"$height\" src=\"http://www.youtube.com/embed/$vid\" frameborder=\"0\" allowfullscreen></iframe>";

}

if you want to use the old video insertion with <object> tag: just change the last line for:

Code: [Hide] [Select]

$html = "<object width=\"$width\" height=\"$height\"><param name=\"movie\" value=\"http://www.youtube.com/v/$vid?version=3&\"></param><param name=\"allowFullScreen\" value=\"true\"></param><param name=\"allowscriptaccess\" value=\"always\"></param><embed src=\"http://www.youtube.com/v/$vid?version=3&\" type=\"application/x-shockwave-flash\" width=\"$width\" height=\"$height\" allowscriptaccess=\"always\" allowfullscreen=\"true\"></embed></object>";

As you will see, now this four options works:

Code: [Hide] [Select]

[youtube]http://youtu.be/z0XAI-PFQcA[/youtube]

[youtube]http://www.youtube.com/watch?v=z0XAI-PFQcA[/youtube]

[youtube]http://www.youtube.com/watch?v=KtBbyglq37E&feature=list_other&playnext=1&list=AL94UKMTqg-9AQHw-H4wKwQuvHKZQH67tF[/youtube]

[youtube]z0XAI-PFQcA[/youtube]

I hope this can help anyone! Have a nice day!.

Thank you for the suggestion, I have implemented it on my dev environment and I'll probably implement officially.

I just wanted to point out that your code has a security flaw for at least two reasons:

parse_str function has been used without specifying an output var: http://it.php.net/manual/en/function.parse-str.php
This means that someone can arbitrarily pass some OFFENDING code directly through HTTP QUERY STRING by overriding some other vars in bbcode.php (a fix is provided in my code below).
Video content string is not sanitized, this means that someone can arbitrarily close the IFRAME tag by sending proper HTTP QUERY STRING and open another IFRAME with its own code (a fix is provided in my code below).

Code: [Hide] [Select]

					//check URL type

					$video_file = $content;

					if (strpos($content, 'youtu.be') !== false)

					{

						// Short URL

						// parse the URL to split it in parts

						$parsed_url = parse_url($content);

						// get the path and delete the initial / simbol

						$video_file = str_replace('/', '', $parsed_url['path']);

					}

					elseif (strrpos($content, 'youtube') !== false)

					{

						// Long URL

						// parse the URL to split it in parts

						$parsed_url = parse_url($content);

						// get the query part (vars) and parse them into name and value

						parse_str($parsed_url['query'], $qvars);

						// send the value to the destination var.

						$video_file = $qvars['v'];

					}

					$video_file = preg_replace('/[^A-Za-z0-9]+/', '', $video_file);

Icy Phoenix

Old Support Topics - BBCODE - Improved Youtube Insertion