I currently run several WordPress MU installations.
My users are asking for the ability to post video (not just Youtube, but from our own Flash Media Server).
By default, WordPress strips out <embed> tags.
Now, I would never allow users to include PHP or JavaScript in their posts, do I have to worry about Flash vulnerabilities?
How dangerous is the embed tag and should I worry about giving them the ability?
Thanks
Generally speaking, Flash has come a long way in terms of preventing exploits like key trapping, etc.
The safest thing you could do would be to obfuscate the embedding code and have them only supply a SWF URL, that way they couldn’t pull anything fancy in the embed object like allowing cross scripting, etc…
In particular, you want to watch out for things like potential hackers trying to call JS functions from your blog JS files by using AS3’s
ExternalInterface.call()function… that would definitely be bad. However I think you can use embed techniques to turn this off.Make sure you set
allowScriptAccess="never"in the object/embed tag to deny scripting powers to third party SWFs.I would suggest that Flash is only as secure as the content it is presenting; and that including a Youtube video is no more or less dangerous than going to visit the same video on Youtube’s website.
Flash is pretty secure. A lot of websites big and small are using it for 10 years now. Of course exploits are found, as in every piece of software. No web system is 100% secure. A lot of people are using flash and a lot of developers are working to make it secure. If you really sensitive information don’t put them on web in the first place. The security depends more on the developer that writes a piece of code than the type of code ( actionscript, javascript, php or java ). Languages permit errors and developers sometimes make errors.
My recommandation is to use it if you need it.