security risk

HTML isn't required in the post, to my understanding

PHP:

[youtube]JFwCCL0Vh6U[/youtube]

^like that

 

I might assume incorrectly, but as far as I know, the videos are enclosed in something like this [YOUTUBE]XzTfyGiL[/YOUTUBE], so therefore theres practically no risk of someone inserting malicious HTML code -- at least not without uber hax.

<style type="text/css">
<!--
.zatest { border: #038 1px solid; background: #014; color: #fc0; font-weight: bold; }
-->
</style>

<div class="zatest">If HTML is processed, then this text should appear in orange text with a navy blue background.</div>

If PHP is interpreted
<?php phpinfo();
print("<br><br>"."Then you would be able to see sensitive server information like which version of PHP and apache were running"); ?>

 

According to http://www.vbulletin.com/forum/showpost.php?p=1211388&postcount=2 , the (youtube)param(/youtube) code gets converted into something like this:

HTML:

<object width="425" height="350"><param name="movie" value="<A href="http://www.youtube.com/v/{param}"></param><embed">http://www.youtube.com/v/{param}"></param><embed src="http://www.youtube.com/v/{param}" type="application/x-shockwave-flash" width="425" height="350"></embed></object>

Which not have been what you were talking about, although that's less dangerous than inserting HTML directly.

Edit: it looks pretty safe to me. I tried code injection, alt codes, etc. Anything unusual was escaped.

 

You might be right. It is possible, though highly unlikely for a youtube video to contain a malicious flash command, however I have faith in youtube's video filtering system since I haven't heard of anyone being hit by a malicious command yet. As well, I have antivirus protection, like I should have. It's generally understood that if you go anywhere on the web you need decent protection of your own (antivirus software, firewall or router, a secure browser, etc).

 

I've been hit twice off youtube with malicious code off one video (it took the second time to make the connection). Just avoid Enya's "Carribean Blue" on youtube.

p.s. at least, I'm assuming it was this, both cases happened immediately after watching the video, but I don't have any actual proof that it was this video. Also, when I say avoid it I MEAN IT, the second time, in order to get rid of the virus, I had to format my hard drive.

 

That's a tough security issue to address then, and likely beyond the scope of the forums. If embedded flash is disabled, then people will just post links to youtube etc - and the browser is still susceptible to attack.

EDIT: How does malicious flash work? Does it attack the browser? The OS? Are certain platforms immune?

 

Ok, I will use my imagination. I'm kinda good at that. Maybe you would like to talk with Ambrosia about this?
http://www.pandorabots.com/botmaster/en/summary?botid=e8d6db6a7e36950b

O, if that didn't work, try this? http://www.pandorabots.com/pandora/talk?botid=e8d6db6a7e36950b

 

Oh, so flash attacks are just cookie swipes? That's simple, but effective!

 

No, it's safe and here is why:

If implemented the way described here, you can't link to anything other than what's on YouTube. When you use the YouTube tag on a forum post, it just plugs the video's unique identifier into the {param} spot of the template shown above.

 

I'll be damned.

Captain Morgan?