> > I really want to be as broad ranging as possible and include as many
> > as possible and also in their original form. It's important for this
> > that the tags, as much as possible be left as they're inputted, I just
> > want the result to hijack my page.
> Well, I originally meant something very custom like
> <video:http://youtubeurl…>. Though since most normal folks can't
> grok this, and web power users have enough formats to figure out,
> perhaps you could just seek out youtube urls sitting on a single line
> or something.
> For instance, Tumbler lets me add the raw embed code or just a youtube
> video URL if I want to post a video.
I could not change the input to that level. <video:...> but I've had a
look at the youtube and also odeo widgets and they both boil down to an
embed tag with a type of shockwave flash.
You're really not getting the point of what I'm trying to say. I'm
saying, strip all object tags, and use something custom that gets
replaced w/ an object tag that you generate afterwards. If you're
generating insecure JS, you have issues
Do you think it would be a bad idea to enable support for embed tags with
that type with src from youtube.com or odeo.com / (a list of known)
domains? If I did this I could remove the object tag from around the embed
tag and I don't think it would have much of an impact.
I don't really know, I haven't thought about this stuff much. I just
strip all object/embed tags by default. You may have to do some
digging for any attack vectors on object/embed tags. I don't think
it'd be that different from image tags though.