0

I have a video.php page like this:

<?php $videolink = $_GET['urlpath']; ?>
<video width="100%" height="100%" controls autoplay> 
<source src="/videos/<?php echo $videolink; ?>.mp4">
</video>

Url Example:

http://example.com/video.php?urlpath=video1

Sample Url Output:

<video width="100%" height="100%" controls autoplay> 
<source src="/videos/video1.mp4">
</video>

What I want to do is this: How can I remove '/videos/video1.mp4' from the page source code? Or can I pull it from a different file? I don't want it to appear directly in the page source code, thank you.

xquaL
  • 13
  • 3
  • 1
    That is not possible unless you use some kind of streaming – Anurag Srivastava Mar 30 '20 at 22:21
  • I think it can be done. If I fetch the .mp4 file with javascript and shoot javascript content remotely; I think it would be if I used javascript with php. `` – xquaL Mar 30 '20 at 22:31
  • Yes, it just came to my mind. When I reach the appropriate solution, I share my method. My goal is not to hide the .mp4 file entirely, but I'm sure they'll find it somehow. I just don't want it to appear in the page source code. Dynamically bringing .mp4 remotely with javascript seems to solve my job. – xquaL Mar 30 '20 at 22:40
  • Use AJAX. After page loads feed in the path. Could also look at HLS. You also are open to XSS. – user3783243 Mar 30 '20 at 23:04
  • @user3783243 Actually I don't think it will be an xss. Data from the Get part only will change the video name. So they will get a 404 Not Found error. I don't think it will create a deficit. I also don't understand ajax and javascript. How can I use it with Ajax, is there a sample code? – xquaL Mar 31 '20 at 02:31
  • @xquaL It is. Try something like `example.com/?urlpath=%22%3E%3C%2Fvideo%3E%3Cscript%3Ealert%28%27injected%27%29%3B%3C%2Fscript%3E` It depends how you load your player. See https://learn.jquery.com/ajax/. So you can use document ready to make an ajax request then write the video element with the URL you get back from the AJAX request to your PHP script. – user3783243 Mar 31 '20 at 02:48
  • @user3783243 This didn't work for me. But I can have an alert in a different way yes .. But any database connection etc. can they do anything other than give an alert because they are not? How can I prevent this? I guess I should make sure that only letters and numbers are used in Url. I think I need to block special characters like (<> '"!% & + ^) from the URL. I think I can do it with PHP as follows; `` But as if this is not very healthy, what would you suggest? – xquaL Mar 31 '20 at 11:41
  • A user could alter the whole page to display what they want. See https://stackoverflow.com/questions/1996122/how-to-prevent-xss-with-html-php. – user3783243 Mar 31 '20 at 12:04

0 Answers0