3

I want to enable users to submit video links in a post/comment and render it as embedded videos.

For example, youtube supplies code for embedding videos, something like:

<iframe width="420" height="345" src="http://www.youtube.com/embed/Rr6PWlOgPrs" frameborder="0" allowfullscreen></iframe>

If a user puts the above code fragment in a comment, how do I render it correctly?

Django auto-escapes all HTML tags, so by default the above code wouldn't work. But if I disable auto-escaping then I'd open a ton of security risks.

What's the best way of handling this?

Continuation
  • 12,722
  • 20
  • 82
  • 106

3 Answers3

3

The user should never be able to insert HTML directly. Look into django-oembed. This way the user will only have to paste in the URL and oembed will match it and switch the matched urls automatically with object embed code.

Uku Loskit
  • 40,868
  • 9
  • 92
  • 93
  • Right. You don't want the user to give you *anything* other the URL and maybe the title. That way *you* are constructing the link and you don't have to worry about escaping and/or de-fanging (?) their HTML. – Peter Rowell Aug 30 '11 at 23:41
1

Give a try to django-embed-video. It is quite simple.

Tom Tichý
  • 1,065
  • 1
  • 12
  • 19
1

What I do on my site is have users submit a link to the YouTube video. No embed stuff, just the link. Then I use the oEmbed API to ask YouTube for the embed HTML code for the given link. If you trust YouTube, you can then use the HTML they give you without escaping it.

I've been doing this for 6 months now, it works really great.

Brian Neal
  • 31,821
  • 7
  • 55
  • 59