object tag: security of allowing users to post it

[simonrs]

Hi guys,

I'm using tinyMCE to power a blogging site I'm working on. The area of the site is sports so I'd very much like to allow users to post youtube videos and the like into their blog posts.

 

This as I'm sure you know will involve allowing them to post content with the object and param tags. I know object tags can also be used to embed, for instance, java applets.

 

Are there any security concerns I should be aware of in allowing users to do this? For instance, could they put a java applet in which will steal sessions of other users? I'm thinking it's dangerous obviously to allow users to post script tags for this reason and wondering if any of these problems apply to object tags.

 

Thanks in advance for any help anyone can offer.

[haku]

You're safer creating a bb-tag style replacement method that allows the user to use bb tags (like the quote tags or code tags on this site), filling in the unique code for the video, then have your backend replace the bb tags with the object tags, filling in the unique video code in the correct spot.

 

So if the user puts in (for example):

[youtube]xviewq232893[/youtube]

 

It will replace this with:

<obect blah blah blah something="xviewq232893">

 

(I'm sure that you can see I didn't actually look up the real youtube code, this was just to give the idea).