The MU forums have moved to WordPress.org

Issue regarding YouTube and Google videos (36 posts)

  1. malandry
    Member
    Posted 7 years ago #

    Hi,

    I've installed WordPressMU, and have successfully been able to setup it to work on 10 domains (multiple install, but I've also code something to update each install at the same time)

    I'm starting to get blog created each day but I've a support issue regarding YouTube and Google Videos that I just can't fix. They always get stripped when you update a post (not at display, since I can make them work if I update the mysql database manually).

    I've searched the forum and I know it's something that is done on purpose and that there is some plugins (Extreme Videos, Anarchy) that could make them work but thats not really what I'm looking for. YouTube and Google offers some quick links to easily embed video and this is just much less trouble when users can post them that way.

    I've tried modified some part of the filters function. I've tried disabling wpautop in default-filters.php and basically anything I could try...

    Could someone just point me, where in the source exactly does it get stripped so that I can fix it myself, and then I could provide every users with the same problem a quick fix.

    That would be greatly appreciated.

    Cheers,
    - Matt

  2. honewatson
    Member
    Posted 7 years ago #

  3. drmike
    Member
    Posted 7 years ago #

    Allowing embed tags is a security risk though. If you allow them, you can't secure what resides within those tags.

  4. malandry
    Member
    Posted 7 years ago #

    The «get-custom» plugins doesnt fix my issue, or I did something wrong...

    I know there's some security risk, but If I could get my hand on which part of the code filters it...
    I could probably setup a set of regex that would minimize this risk.

    Cheers

  5. drmike
    Member
    Posted 7 years ago #

    We've raised this question as well. I haven't had the time to sit down and look at the code either.

  6. malandry
    Member
    Posted 7 years ago #

    Thanks drmike! This link, helped me found out approximately where the filters was.

    OK! Now, my fix, for everyone feeling like allowing this security issue on their WPMU!

    open wp-includes/kses.php

    At the begining on the file, you should have something like :

    // You can override this in your my-hacks.php file
    if (!CUSTOM_TAGS) {
    $allowedposttags = array (

    I added those line(below) and I'm able to post content from google and youtube.

    'embed' => array (
    'style' => array (),
    'type' => array (),
    'id' => array (),
    'height' => array (),
    'width' => array (),
    'src' => array ()),
    'object' => array (
    'height' => array (),
    'width' => array ()),
    'param' => array (
    'name' => array (),
    'value' => array ()),

    Thank you very much for your help. I'm feeling my user gonna be happy ;)

    Cheers!

    - Matt

  7. drmike
    Member
    Posted 7 years ago #

    Hey, someone did my work for me. :)

  8. suleiman
    Member
    Posted 7 years ago #

    wicked...i'll implement this hack immediately. Thanks matt!

  9. cnpapers
    Member
    Posted 7 years ago #

    If you edit the post, it pulls the embed tags out of the object tags. Any way to fix this?

  10. DoggyBloggy
    Member
    Posted 7 years ago #

    I run a collective blog site based on regular Wordpress that allows for the use of the "embed" code but I've found that NONE of my 100 or so bloggers actually use it even though I have repeatedly told them that all they have to do is copy and paste it into the blog. They always just use the regular href link instead. . . I can't understand it but that's what they do. I assume that it is because they are non-techs and that they are at least a little familiar with href link pasting but freak out when they see the embed code.

    So I always have to click on the link, go to youtube or whatever, and then copy the embed code and then edit their posts to change the href to the embed to get the video to show in the blog instead of the link.

    When I was searching for the embedding ability for my new MU install, I first thought like the original poster. I installed Anarchy with a simple drop into the mu-plugins folder and I actually like the button to include youtube via a simple href link. Yeah, the code it includes is even scarier than the youtube embed code, but I'll be interested to see if my new user base will actually manage to embed the videos this way. It seems like an extra step, but maybe it will actually be easier for non-techs. . Yes, I realize this doesn't make any sense, but non-techs do a lot of stuff that doesn't make sense :-)

  11. bopuc
    Member
    Posted 7 years ago #

    Always love seeing the citing of security for restricting liberty. ;)
    I just bumped against this setting up a blogfarm for the Journalism and Media Studies Center at Hong Kong University. You can imagine that posting embedded videos is not a security risk... at least not the kind the WPMU devs had in mind. ;)

    thanks for this hack! Now I have to figure out why WPMU is truncating strings of Kanji!

  12. jdcoffman
    Member
    Posted 7 years ago #

    oh my gosh, amazing! I've been trying to figure this out. Thanks!

  13. CoreyCampbell
    Member
    Posted 7 years ago #

    Is there anyway to restrict the width of the object embedded?

  14. CoreyCampbell
    Member
    Posted 7 years ago #

    Never mind... I didn't' know you could specify the width and height of an embed via css

  15. RickP
    Member
    Posted 7 years ago #

    I implemented this hack and it let me then embed videos, but it "breaks" the template rather severely. I thought if I used a different template it might fix the problem, but no such luck, it pushes the div tags all out of whack. Has anyone else experienced this problem?

    Rick

  16. drmike
    Member
    Posted 7 years ago #

    An example of this would be?

  17. CoreyCampbell
    Member
    Posted 7 years ago #

    I removed the 'height' and 'width' parameters then applied a width style to the embed for height and width. The video doesn't look the BEST because of the change in width but at least it doesn't mess with my design.

    'embed' => array (
    'style' => array (),
    'type' => array (),
    'id' => array (),
    'height' => array (),
    'width' => array (),

    'src' => array ()),
    'object' => array (
    'height' => array (),
    'width' => array ()
    ),
    'param' => array (
    'name' => array (),
    'value' => array ()),

  18. DeFries
    Member
    Posted 6 years ago #

    I tried to implement this hack into my kses file but as soon as i have uploaded it to the server the site goes blank. I have tried a couple of different ways of adding the code but to no avail so far. Could anybody help me out here?

    I am using Mu 1.2.3 and my code looks like this now:

    // You can override this in your my-hacks.php file
    if (!CUSTOM_TAGS) {
    	$allowedposttags = array ('address' => array (), 'a' => array ('href' => array (), 'title' => array (), 'rel' => array (), 'rev' => array (), 'name' => array ()), 'abbr' => array ('title' => array ()), 'acronym' => array ('title' => array ()), 'b' => array (), 'big' => array (), 'blockquote' => array ('cite' => array ()), 'br' => array (), 'button' => array ('disabled' => array (), 'name' => array (), 'type' => array (), 'value' => array ()), 'caption' => array ('align' => array ()), 'code' => array (), 'col' => array ('align' => array (), 'char' => array (), 'charoff' => array (), 'span' => array (), 'valign' => array (), 'width' => array ()), 'del' => array ('datetime' => array ()), 'dd' => array (), 'div' => array ('align' => array ()), 'dl' => array (), 'dt' => array (), 'em' => array (), 'fieldset' => array (), 'font' => array ('color' => array (), 'face' => array (), 'size' => array ()), 'form' => array ('action' => array (), 'accept' => array (), 'accept-charset' => array (), 'enctype' => array (), 'method' => array (), 'name' => array (), 'target' => array ()), 'h1' => array ('align' => array ()), 'h2' => array ('align' => array ()), 'h3' => array ('align' => array ()), 'h4' => array ('align' => array ()), 'h5' => array ('align' => array ()), 'h6' => array ('align' => array ()), 'hr' => array ('align' => array (), 'noshade' => array (), 'size' => array (), 'width' => array ()), 'i' => array (), 'img' => array ('alt' => array (), 'align' => array (), 'border' => array (), 'height' => array (), 'hspace' => array (), 'longdesc' => array (), 'vspace' => array (), 'src' => array (), 'width' => array ()), 'ins' => array ('datetime' => array (), 'cite' => array ()), 'kbd' => array (), 'label' => array ('for' => array ()), 'legend' => array ('align' => array ()), 'li' => array (), 'p' => array ('align' => array ()), 'pre' => array ('width' => array ()), 'q' => array ('cite' => array ()), 's' => array (), 'strike' => array (), 'strong' => array (), 'sub' => array (), 'sup' => array (), 'table' => array ('align' => array (), 'bgcolor' => array (), 'border' => array (), 'cellpadding' => array (), 'cellspacing' => array (), 'rules' => array (), 'summary' => array (), 'width' => array ()), 'tbody' => array ('align' => array (), 'char' => array (), 'charoff' => array (), 'valign' => array ()), 'td' => array ('abbr' => array (), 'align' => array (), 'axis' => array (), 'bgcolor' => array (), 'char' => array (), 'charoff' => array (), 'colspan' => array (), 'headers' => array (), 'height' => array (), 'nowrap' => array (), 'rowspan' => array (), 'scope' => array (), 'valign' => array (), 'width' => array ()), 'textarea' => array ('cols' => array (), 'rows' => array (), 'disabled' => array (), 'name' => array (), 'readonly' => array ()), 'tfoot' => array ('align' => array (), 'char' => array (), 'charoff' => array (), 'valign' => array ()), 'th' => array ('abbr' => array (), 'align' => array (), 'axis' => array (), 'bgcolor' => array (), 'char' => array (), 'charoff' => array (), 'colspan' => array (), 'headers' => array (), 'height' => array (), 'nowrap' => array (), 'rowspan' => array (), 'scope' => array (), 'valign' => array (), 'width' => array ()), 'thead' => array ('align' => array (), 'char' => array (), 'charoff' => array (), 'valign' => array ()), 'title' => array (), 'tr' => array ('align' => array (), 'bgcolor' => array (), 'char' => array (), 'charoff' => array (), 'valign' => array ()), 'tt' => array (), 'u' => array (), 'ul' => array (), 'ol' => array (), 'var' => array () );
    	$allowedtags = array ('a' => array ('href' => array (), 'title' => array ()), 'abbr' => array ('title' => array ()), 'acronym' => array ('title' => array ()), 'b' => array (), 'blockquote' => array ('cite' => array ()),
    	'embed' => array (
    'style' => array (),
    'type' => array (),
    'id' => array (),
    'height' => array (),
    'width' => array (),
    'src' => array ()),
    'object' => array (
    'height' => array (),
    'width' => array ()),
    'param' => array (
    'name' => array (),
    'value' => array ())
  19. drmiketemp
    Member
    Posted 6 years ago #

    Can you put that up somewhere like a txt file please and link to it? The forum software eats it.

    Please also note that allowing embed tags is a security risk. It's best to use a plugin to add in video support.

  20. DeFries
    Member
    Posted 6 years ago #

    I'm sorry Drmiketemp. I uploaded it as a text file:
    http://www.de-fries.nl/jr/ge/kses2.txt

    I am aware that there is a security risk... but plugins are not going to do the trick in this particular case.

  21. brettsnyder
    Member
    Posted 6 years ago #

    Is there not a plugin that can effectively do this hack behind the scenes for those of us who don't want to mess with the code?

  22. adleras
    Member
    Posted 6 years ago #

    you can always use a plugin like http://www.daburna.de/blog/2006/12/13/wordpress-video-plugin/ for showing videos on ur site. Unfortunately even if it works with the major tube sites .. it doesnt works with all of them. For me its useless.. I've tried to hack it ..and now it works with the site i wanted also, but its too complicated for other users to use it. So i might use the hack malandry provided in here.

    thanks a lot malandry

  23. drmiketemp
    Member
    Posted 6 years ago #

    Actually that's the one we're now using on our wpmu installs. I got ahold of the developer and we're going to merge in the sites that I had written filters for shortly. Godtube changed their urls yet again and I'm waiting to hear back from them. I have about a dozen to submit.

    The plugin worked very well for us.

    Video filters are actually fairly easy to do as long as the site in question doesn't do anything real flaky with their urls for the video files. Some do a weird md5 to the filenames or the subdirectories but, if you ask, they'll tell you the encoding that they do to make the filter work.

    edit: What's the site that you had to hack it? (I really hate it when folks don't give details.)

  24. DeFries
    Member
    Posted 6 years ago #

    But is there no one who can help me with editing the kses file i posted a couple of messages back? I would be so thrilled!

  25. adleras
    Member
    Posted 6 years ago #

    drmiketemp the plugin works really fine ... i've submited another site.. that wasnt in the original vers...but it kind of hard to use for other members, although its easy for me.

    maybe the guy who made the plugin could help me a little. i've sent an email to him..today..and i am waiting for a reply.

    anyway... u told me originaly about that plugin..so..thanks again man

  26. drmiketemp
    Member
    Posted 6 years ago #

    And again, it's the name of the site and the number of the video. Can't get easier than that.

  27. adleras
    Member
    Posted 6 years ago #

    :( ... i'm not good at this, sorry, and i had to add the tube site cause it was not listed in the plugin. and the code its not the same as youtube..its more complicated.

  28. intoxination
    Member
    Posted 6 years ago #

    What I have done on my site (which is Drupal) is go through and grep out all the embed code that is put in. I store it in an array and replace it in the post with <!--embed-X-->. X refers to the key number in the array that stores. It then runs through the filtering (I am using purifier, but it would also work with KSES). After that I loop through the array of embeds and run a custom filter. The custom filter first checks all listed domains in the embed code against a white list. If it isn't listed, the variable gets set to null. If it is OK then it passes to phase 2, which removes anything that could contribute to XSS (ie: onlcicks), and then my custom commenting code is replaced in the post with the embed code.

    I am hoping to port this to Wordpress in the near future (time allowing). It actually works out very well, and you got great control over it with the use of a white list for allowed sites.

  29. peacearena
    Member
    Posted 6 years ago #

    I have edited kses.php with malandy's code above, and this has allowed me to put YouTube embeds in a post.

    But now I want to put this form in my sidebar, and it's being stripped.

    Are there other lines I need to add to kses.php, or something else?

    I am the sole contributor on my MU site (I just use it for different projects I work on), so the security issues are not as acute for me. If I could completely override the kses.php process, would that be functional, and if so, how would I do it?

    Thanks in advance.

  30. jmwebguy
    Member
    Posted 6 years ago #

    I just wanted to say THANK YOU for this code. Could it be any simplier for WPMU? I really appreciate it, and so does my wife, considering I was spending countless hours trying to figure it out.

About this Topic