Javascript and Php

**glucarelli** · 09-18-2006, 07:25 PM

I don't know if this post is in the good section or he have to be in Php section.

Here is my problem , i have a PunBB Forum
i've made modifications to allow user post vidéos from Youtube,DailyMotion,and GoogleVidéo inside specifics Bbcodes.
A very interesting site Ariegenews.com gives the opportunity to users to put their vidéos in their site.Like this Vidéo in this way

Code:

<script language="javascript" src="http://www.ariegenews.com/data/rss/video-1375.html"></script>

have a look near footer under the Get Adobe Flash Player Logo.
As you know javascript and bbcodes = security vulnerabilty on PHP forums.
When we open video-1375.html the code looks like this :

Code:

document.write('<div">');
			document.write('<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="300" height="240">');
			document.write('<param name="movie" value="http://www.ariegenews.com/data/rss/flvplayer.swf?file=http://www.ariegenews.com/data/userFiles/Flash/ruralite/lotissementMoulinNeufSept2006.flv" />');
			document.write('<param name="quality" value="high" />');
			document.write('<param name="menu" value="false" />');
			document.write('<param name="wmode" value="" />');
			document.write('<embed src="http://www.ariegenews.com/data/rss/flvplayer.swf?file=http://www.ariegenews.com/data/userFiles/Flash/ruralite/lotissementMoulinNeufSept2006.flv" wmode="" quality="high" menu="false" pluginspage="http://www.adobe.com/go/getflashplayer" type="application/x-shockwave-flash" width="300" height="240">');
			document.write('</embed></object>');
			document.write('<br /><a href="http://www.ariegenews.com/news/news-1375.html" style="font-family: Arial, Helvetica; font-size: 11px; color: #000080; font-weight: bold" target="_blank">&copy;&nbsp;AriegeNews&nbsp;TV</a>');

The direct link for the vidéo is easily visible
http://www.ariegenews.com/data/userF...ufSept2006.flv
As you can see if a user want to put the direct link of a vidéo in a forum post he have to do a lot of manipulation.
My question :
Is there a way to write a code to retrieve the direct link of the vidéo when a user post with a Bbcode says like this :

Code:

[ariegenews]http://www.ariegenews.com/news/news-1-8-1375.html[/ariegenews]

as we can do for Youtube,DailyMotion,and GoogleVidéo

Any advice would be helpfull.
Excuse me for my poor english.
Thanks for your answers

**blm126** · 09-18-2006, 07:35 PM

Not that I can see. Every solution I can think of is vulnerable to XSS.

**glucarelli** · 09-21-2006, 01:45 PM

Thank you blm126.

Just another question

Is there a way to rewrite news-1-8-1375.html for example to add a code witch decide if javascript continue if not direct link to flv file ?

**Twey** · 09-21-2006, 02:46 PM

Not that I can see. Every solution I can think of is vulnerable to XSS.

Well, assuming that one trusts ariegenews.com, it's a simple matter to check if the supplied URL is on that domain. In fact, there's really no need to specify the domain; one can do:

Code:

[ariegenews]1-8-1375[/ariegenews]

... and convert that to:

Code:

<script type="text/javascript" src="http://www.ariegenews.com/news/news-1-8-1375.html"></script>

with:

Code:

preg_replace(
  '/\[ariegenews\]([^\[]+)\[\/ariegenews\]/gi',
  '<script type="text/javascript" src="http://www.ariegenews.com/news/news-$1.html"></script>',
  $post
);

**glucarelli** · 09-21-2006, 04:08 PM

Excuse me Twey i've asked the webmaster of AriègeNews and he is ready to add to his html page (http://www.ariegenews.com/news/news-1-8-1375.html) a piece of code checking if this url is typed inside javascript tags or not.
My question is how this can be done :
Maybe like this :

Code:

If Inside Javascript tags goto JavascriptCode
If Not Direct Link to Flv file (http://www.ariegenews.com/data/userFiles/Flash/ruralite/lotissementMoulinNeufSept2006.flv)
:JavascriptCode
document.write('<div">');
			document.write('<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="300" height="240">');
			document.write('<param name="movie" value="http://www.ariegenews.com/data/rss/flvplayer.swf?file=http://www.ariegenews.com/data/userFiles/Flash/ruralite/lotissementMoulinNeufSept2006.flv" />');
			document.write('<param name="quality" value="high" />');
			document.write('<param name="menu" value="false" />');
			document.write('<param name="wmode" value="" />');
			document.write('<embed src="http://www.ariegenews.com/data/rss/flvplayer.swf?file=http://www.ariegenews.com/data/userFiles/Flash/ruralite/lotissementMoulinNeufSept2006.flv" wmode="" quality="high" menu="false" pluginspage="http://www.adobe.com/go/getflashplayer" type="application/x-shockwave-flash" width="300" height="240">');
			document.write('</embed></object>');
			document.write('<br /><a href="http://www.ariegenews.com/news/news-1375.html" style="font-family: Arial, Helvetica; font-size: 11px; color: #000080; font-weight: bold" target="_blank">&copy;&nbsp;AriegeNews&nbsp;TV</a>');

Thread: Javascript and Php

Thread Tools

Search Thread

Javascript and Php

Bookmarks

Bookmarks

Posting Permissions