Home •  Forum •  FAQ •  Search •  Recent Topics •  Memberlist •  Register •  Log in 
Forum » Icy Phoenix Support » Older Versions Archive » Old Support Topics

BBCODE - Improved Youtube Insertion

Reply to topic

 

jefazo666
Quote
Posts: 88
Sun 11 Nov, 2012 14:03
Subject: BBCODE - Improved Youtube Insertion
Hi all!

this is not a support topic, but I can't create topics in other places, so I let this here.
I have improved the insertion of youtube videos with BBcode. As you should know, the actual BBcode, requires users to clear the url to get the video ID and write it here. A lot of users don't know what is a video id, so I made the BBcode translator be the one to take the vid Id and use the new Youtube insertion with <iframe> html tag.

As some users are used to insert videos with only the Id, the BBcode still works if they insert only the Id, they insert an Url with more vars, or even if they insert the short Url version.

Let's see how:
OPEN ip_root/includes/bbcode.php
FIND
Code: [Download] [Hide] [Select]
else if ($tag === 'youtube')
{
$color_append = '';
if ($color_1 || $color_2)
{
$color_append .= ($color_1 ? ('&color1=0x' . str_replace('#', '', $color_1)) : '');
$color_append .= ($color_2 ? ('&color2=0x' . str_replace('#', '', $color_2)) : '');
}

$width = in_array($width, $width_array) ? $width : 640;
$height = in_array($height, $height_array) ? $height : 385;
$html = '<object width="' . $width . '" height="' . $height . '"><param name="movie" value="http://www.youtube.com/v/' . $content . $color_append . '" /><embed src="http://www.youtube.com/v/' . $content . $color_append . '" type="application/x-shockwave-flash" width="' . $width . '" height="' . $height . '"></embed></object><br /><a href="http://youtube.com/watch?v=' . $content . $color_append . '" target="_blank">Link</a><br />';
}

REPLACE WITH
Code: [Download] [Hide] [Select]
else if ($tag === 'youtube')
{
//check URL type
$vid = '';
if (strpos($content,'youtu.be')!==FALSE){ // short URL
$parsedUrl = parse_url($content); //parse the URL to split it in parts
$vid = str_replace('/','',$parsedUrl['path']); //get the path and delete the initial / simbol
} else if (strrpos($content,'youtube')!==FALSE) { // long URL
$parsedUrl = parse_url($content); // parse the URL to split it in parts
parse_str($parsedUrl['query']); // get the query part (vars) and parse them into name and value
$vid = $v; //send the value to the destination var.
} else // in this case, the user entered only the vid
$vid = $content;

$width = in_array($width, $width_array) ? $width : 640;
$height = in_array($height, $height_array) ? $height : 385;
$html = "<iframe width=\"$width\" height=\"$height\" src=\"http://www.youtube.com/embed/$vid\" frameborder=\"0\" allowfullscreen></iframe>";
}


if you want to use the old video insertion with <object> tag: just change the last line for:

Code: [Download] [Hide] [Select]
$html = "<object width=\"$width\" height=\"$height\"><param name=\"movie\" value=\"http://www.youtube.com/v/$vid?version=3&\"></param><param name=\"allowFullScreen\" value=\"true\"></param><param name=\"allowscriptaccess\" value=\"always\"></param><embed src=\"http://www.youtube.com/v/$vid?version=3&\" type=\"application/x-shockwave-flash\" width=\"$width\" height=\"$height\" allowscriptaccess=\"always\" allowfullscreen=\"true\"></embed></object>";


As you will see, now this four options works:

Code: [Download] [Hide] [Select]
[youtube]http://youtu.be/z0XAI-PFQcA[/youtube]
[youtube]http://www.youtube.com/watch?v=z0XAI-PFQcA[/youtube]
[youtube]http://www.youtube.com/watch?v=KtBbyglq37E&feature=list_other&playnext=1&list=AL94UKMTqg-9AQHw-H4wKwQuvHKZQH67tF[/youtube]
[youtube]z0XAI-PFQcA[/youtube]


I hope this can help anyone! Have a nice day!.

Profile PM  
Mighty Gorgon
Quote
Posts: 7192 Location: Borgo San Michele
Sat 24 Nov, 2012 11:16
Subject: Re: BBCODE - Improved Youtube Insertion
Thank you for the suggestion, I have implemented it on my dev environment and I'll probably implement officially.

I just wanted to point out that your code has a security flaw for at least two reasons:

  1. parse_str function has been used without specifying an output var: http://it.php.net/manual/en/function.parse-str.php
    This means that someone can arbitrarily pass some OFFENDING code directly through HTTP QUERY STRING by overriding some other vars in bbcode.php (a fix is provided in my code below).
  2. Video content string is not sanitized, this means that someone can arbitrarily close the IFRAME tag by sending proper HTTP QUERY STRING and open another IFRAME with its own code (a fix is provided in my code below).




Code: [Download] [Hide] [Select]
//check URL type
$video_file = $content;
if (strpos($content, 'youtu.be') !== false)
{
// Short URL
// parse the URL to split it in parts
$parsed_url = parse_url($content);
// get the path and delete the initial / simbol
$video_file = str_replace('/', '', $parsed_url['path']);
}
elseif (strrpos($content, 'youtube') !== false)
{
// Long URL
// parse the URL to split it in parts
$parsed_url = parse_url($content);
// get the query part (vars) and parse them into name and value
parse_str($parsed_url['query'], $qvars);
// send the value to the destination var.
$video_file = $qvars['v'];
}
$video_file = preg_replace('/[^A-Za-z0-9]+/', '', $video_file);

Profile PM   Website
Reply to topic
 

Page 1 of 1


  
You cannot post new topics
You cannot reply to topics
You cannot edit your posts
You cannot delete your posts
You cannot vote in polls
You cannot attach files
You can download files
You cannot post calendar events

   

This is a "Lo-Fi" version of our main content. To view the full version with more information, formatting and images, please click here.

Powered by Icy Phoenix based on phpBB
Generation Time: 0.0868s (PHP: 20% SQL: 80%)
SQL queries: 10 - Debug Off - GZIP Enabled