Apex Code Development You need to sign in to do that
Don't have an account?
bibbo84 Embedded video and XSS issue
Hi,
it's a bit time that I looking for a solution for a problem.
In my application I have a custom field on a object that is a link to an embedded video. This is an example of link to a video
As you can see i use the feature escape="false" in my apex:outputText. The problem is this case is that if I use the escape=false then I obtain a XSS issue in my code review.
I tried to use a dynamic component in this way
but i don't see nothing in my page. With dinamyc component I can see only video from youtube (the value of the text field is something like this "<iframe width="560" height="315" src="http://www.youtube.com/embed/XXXXXXXXX" frameborder="0" allowfullscreen></iframe>"). Then i solved this problem with the component apex:flash(setting the src and the flashvars properties), that is ok in this case because the <object></object> contains a flash video.
Now I would know how can I solve this problem for every type of multimedia file embedded in <object> tag without getting a XSS issue?
Thanks,
F.P.
it's a bit time that I looking for a solution for a problem.
In my application I have a custom field on a object that is a link to an embedded video. This is an example of link to a video
<object id="flashObj" width="480" height="270" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,47,0"><param name="movie" value="http://c.brightcove.com/services/viewer/federated_f9?isVid=1&isUI=1" /><param name="bgcolor" value="#FFFFFF" /><param name="flashVars" value="videoId=XXXXXXXXXXX&linkBaseURL=http%XXXXXXXXX.www2.XX.com%2Fvideo-gallery%2XXXXXXXXXXvideo%2F&playerID=XXXXXXXX&playerKey=AQ~~,XXXXXXXX~,XXXXXXXXR&domain=embed&dynamicStreaming=true" /><param name="base" value="http://admin.brightcove.com" /><param name="seamlesstabbing" value="false" /><param name="allowFullScreen" value="true" /><param name="swLiveConnect" value="true" /><param name="allowScriptAccess" value="always" /><embed src="http://c.brightcove.com/services/viewer/federated_f9?isVid=1&isUI=1" bgcolor="#FFFFFF" flashVars="videoId=XXXXXXX&linkBaseURL=http%XXXXXX.www2.XX.com%2Fvideo-gallery%2Fus%2Fen%2Fsss%XXXXXXXXXXX%2Fvideo%2F&playerID=1111577658001&playerKey=AQ~~,XXXXXXXX~,XXXXXXXXXXXXXXXXXXXXXXX&domain=embed&dynamicStreaming=true" base="http://admin.brightcove.com" name="flashObj" width="480" height="270" seamlesstabbing="false" type="application/x-shockwave-flash" allowFullScreen="true" allowScriptAccess="always" swLiveConnect="true" pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash"></embed></object>I could show this video on my visualforce page using some code like this
<apex:outputPanel id="embed_object1" >
<apex:outputText styleClass="myclass" escape="false" value="{!videoResource}"/>
</apex:outputPanel>
As you can see i use the feature escape="false" in my apex:outputText. The problem is this case is that if I use the escape=false then I obtain a XSS issue in my code review.
I tried to use a dynamic component in this way
public Component.Apex.OutputText getEmbVideoHTMLContent(){
Component.Apex.OutputText oppText = new Component.Apex.OutputText(escape = false);
oppText.value = videoResource;
oppText.styleClass='myClass';
return oppText ;
}
<apex:outputPanel id="embed_object1" rendered="{!EmbVideoHTMLContent!= null}" layout="none">
<apex:dynamicComponent re componentValue="{!EmbVideoHTMLContent}"/>
</apex:outputpanel>
but i don't see nothing in my page. With dinamyc component I can see only video from youtube (the value of the text field is something like this "<iframe width="560" height="315" src="http://www.youtube.com/embed/XXXXXXXXX" frameborder="0" allowfullscreen></iframe>"). Then i solved this problem with the component apex:flash(setting the src and the flashvars properties), that is ok in this case because the <object></object> contains a flash video.
Now I would know how can I solve this problem for every type of multimedia file embedded in <object> tag without getting a XSS issue?
Thanks,
F.P.
the main problem is that the flash script is run in the "flash" context and thus not getting any XSS prlblem (the browser is not throwing any error because it trusts the flash context).
If you try to load any kind of data using a "standard" HTML component from an HTTPs page (Salesforce) using the non secure protocol you will always get the XSS block, no matter what you try.
How this helps.