I’m building a part of a site where users can embed Youtube videos into their profile. I’m planning to have them get the embed iframe from Youtube directly, and submit that to our server. We’re then responsible for rendering it.
For completeness, a typical such iframe would look like this:
<iframe width="560" height="315" src="https://www.youtube.com/embed/ZK7ih4V0erc" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
Of course, it would be bad to just take whatever HTML the user provides and render it verbatim. My question is: How much effort should I go to to verify this iframe is what I expect?
My approach at the moment is to parse whatever HTML they provide, and:
- Verify that the fragment is an iframe,
- Verify that the src attribute comes from Youtube.
Is there anything beyond this that I should be watching out for? I’m okay with them specifying a youtube video incorrectly (i.e. giving the ID for a video that doesn’t exist).