PDA

View Full Version : Javascript and Php



glucarelli
09-18-2006, 07:25 PM
I don't know if this post is in the good section or he have to be in Php section.

Here is my problem , i have a PunBB Forum (http://www.punbb.org/)
i've made modifications to allow user post vidéos from Youtube,DailyMotion,and GoogleVidéo inside specifics Bbcodes.
A very interesting site Ariegenews.com (http://www.ariegenews.com/index.html) gives the opportunity to users to put their vidéos in their site.Like this Vidéo (http://www.ariegenews.com/news/news-1-8-1375.html) in this way
<script language="javascript" src="http://www.ariegenews.com/data/rss/video-1375.html"></script> have a look near footer under the Get Adobe Flash Player Logo.
As you know javascript and bbcodes = security vulnerabilty on PHP forums.
When we open video-1375.html the code looks like this :

document.write('<div">');
document.write('<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="300" height="240">');
document.write('<param name="movie" value="http://www.ariegenews.com/data/rss/flvplayer.swf?file=http://www.ariegenews.com/data/userFiles/Flash/ruralite/lotissementMoulinNeufSept2006.flv" />');
document.write('<param name="quality" value="high" />');
document.write('<param name="menu" value="false" />');
document.write('<param name="wmode" value="" />');
document.write('<embed src="http://www.ariegenews.com/data/rss/flvplayer.swf?file=http://www.ariegenews.com/data/userFiles/Flash/ruralite/lotissementMoulinNeufSept2006.flv" wmode="" quality="high" menu="false" pluginspage="http://www.adobe.com/go/getflashplayer" type="application/x-shockwave-flash" width="300" height="240">');
document.write('</embed></object>');
document.write('<br /><a href="http://www.ariegenews.com/news/news-1375.html" style="font-family: Arial, Helvetica; font-size: 11px; color: #000080; font-weight: bold" target="_blank">&copy;&nbsp;AriegeNews&nbsp;TV</a>');

The direct link for the vidéo is easily visible
http://www.ariegenews.com/data/userFiles/Flash/ruralite/lotissementMoulinNeufSept2006.flv
As you can see if a user want to put the direct link of a vidéo in a forum post he have to do a lot of manipulation.
My question :
Is there a way to write a code to retrieve the direct link of the vidéo when a user post with a Bbcode says like this :

http://www.ariegenews.com/news/news-1-8-1375.html as we can do for Youtube,DailyMotion,and GoogleVidéo

Any advice would be helpfull.
Excuse me for my poor english.
Thanks for your answers

blm126
09-18-2006, 07:35 PM
Not that I can see. Every solution I can think of is vulnerable to XSS.

glucarelli
09-21-2006, 01:45 PM
Thank you blm126.

Just another question

Is there a way to rewrite news-1-8-1375.html for example to add a code witch decide if javascript continue if not direct link to flv file ?

Twey
09-21-2006, 02:46 PM
Not that I can see. Every solution I can think of is vulnerable to XSS.Well, assuming that one trusts ariegenews.com, it's a simple matter to check if the supplied URL is on that domain. In fact, there's really no need to specify the domain; one can do:
1-8-1375... and convert that to:
<script type="text/javascript" src="http://www.ariegenews.com/news/news-1-8-1375.html"></script>with:
preg_replace(
'/\[ariegenews\]([^\[]+)\[\/ariegenews\]/gi',
'<script type="text/javascript" src="http://www.ariegenews.com/news/news-$1.html"></script>',
$post
);

glucarelli
09-21-2006, 04:08 PM
Excuse me Twey i've asked the webmaster of Ari&#232;geNews and he is ready to add to his html page (http://www.ariegenews.com/news/news-1-8-1375.html) a piece of code checking if this url is typed inside javascript tags or not.
My question is how this can be done :
Maybe like this :

If Inside Javascript tags goto JavascriptCode
If Not Direct Link to Flv file (http://www.ariegenews.com/data/userFiles/Flash/ruralite/lotissementMoulinNeufSept2006.flv)
:JavascriptCode
document.write('<div">');
document.write('<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="300" height="240">');
document.write('<param name="movie" value="http://www.ariegenews.com/data/rss/flvplayer.swf?file=http://www.ariegenews.com/data/userFiles/Flash/ruralite/lotissementMoulinNeufSept2006.flv" />');
document.write('<param name="quality" value="high" />');
document.write('<param name="menu" value="false" />');
document.write('<param name="wmode" value="" />');
document.write('<embed src="http://www.ariegenews.com/data/rss/flvplayer.swf?file=http://www.ariegenews.com/data/userFiles/Flash/ruralite/lotissementMoulinNeufSept2006.flv" wmode="" quality="high" menu="false" pluginspage="http://www.adobe.com/go/getflashplayer" type="application/x-shockwave-flash" width="300" height="240">');
document.write('</embed></object>');
document.write('<br /><a href="http://www.ariegenews.com/news/news-1375.html" style="font-family: Arial, Helvetica; font-size: 11px; color: #000080; font-weight: bold" target="_blank">&copy;&nbsp;AriegeNews&nbsp;TV</a>');