Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How to properly use iframe for a specific site
#1
I am trying to embed streamable.com videos and for that I am using the following code:

Title
Streamable

Regular Expression

Quote:\[streamable\]<div style="width: 100%; height: 0px; position: relative; padding-bottom: 56.250%;"><iframe src="https://streamable.com/s/(.*?)" frameborder="0" width="100%" height="100%" allowfullscreen style="width: 100%; height: 100%; position: absolute;"></iframe></div>\[/streamable\]

Replacement

Quote:<div style="width: 100%; height: 0px; position: relative; padding-bottom: 56.250%;"><iframe src="https://streamable.com/s/$1" frameborder="0" width="100%" height="100%" allowfullscreen style="width: 100%; height: 100%; position: absolute;"></iframe></div>

Usage

Quote:[streamable]<div style="width: 100%; height: 0px; position: relative; padding-bottom: 56.250%;"><iframe src="https://streamable.com/s/q0rbt/itsiaw" frameborder="0" width="100%" height="100%" allowfullscreen style="width: 100%; height: 100%; position: absolute;"></iframe></div>[/streamable]


This is working fine BUT problem is anyone can embed any site in iframe for e.g. a user can embed his own website like below. Is it possible to restrict it only to streamable.com?

Example
[streamable]<div style="width: 100%; height: 0px; position: relative; padding-bottom: 56.250%;"><iframe src="https://www.mybb.com" frameborder="0" width="100%" height="100%" allowfullscreen style="width: 100%; height: 100%; position: absolute;"></iframe></div>[/streamable]
Reply
#2
I would rework your REGEX for the streamable code:

\[streamable\](.*?)\[/streamable\]

You shouldn't force your users to type the whole div and iframe html; these should only be in the replacement portion.

As to your concern about embedding other sites, your REGEX as is explicitly matches the streamable.com host, plus the replacement also explicitly has streamable.com; URLs from any other site won't match, and shouldn't pose a risk unless you have HTML posting enabled.
Reply
#3
(01-03-2019, 08:25 PM)laie_techie Wrote: I would rework your REGEX for the streamable code:

\[streamable\](.*?)\[/streamable\]

You shouldn't force your users to type the whole div and iframe html; these should only be in the replacement portion.

As to your concern about embedding other sites, your REGEX as is explicitly matches the streamable.com host, plus the replacement also explicitly has streamable.com; URLs from any other site won't match, and shouldn't pose a risk unless you have HTML posting enabled.

Sorry this is not working i.e. I can write any URL for e.g. 


[streamable]https://mybb.com[/streamable]

And it will show up in iframe.
Secondly why I am expecting users to post complete div because when you click on "Embed" button on streamable website, you get complete code with div and iframe. I think as a user it is easier for them to just copy/paste that code instead of copy/paste and then delete div and iframe part from it inside [streamable] tags.
Reply
#4
That is because you are allowing them to paste anything (even HTML code if I'm not wrong). You have to be careful with your MyCodes. The one in the following link seems to be working.
https://community.mybb.com/thread-221358.html
Reply
#5
Thanks. This is perfect!
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)