Impossible to embed a youtube video. Both New and Old code to embed a youtube video are deleted on Saving A Page

[cypherinfo]

Hello, when I save a page of my Crowdmap deployment with the code (new way: with the iframe and old way: with flash) to embed a youtube video (that happens on my localhost Ushahidi installation) the same is deleted! I mean when I go the that page no video is embedded and when I try to edit it the code is disappeared!
When I try to preview it before the saving it seems to display it well!
Thank you.

[aoduor]

Thanks @cypherinfo.

Some info on how to replicate this:-

• Grab youtube embed code
• Add content to either a report or new page
• Save

Expected Result: Youtube video gets embedded on the report/page added
Actual Result: No video gets embedded, and on attempts to edit, youtube embed code doesn't exist (it gets deleted).

[rjmackay]

Which embed code are you using? are you using youtube short urls?

There are a couple of ways this should work:

1. You should be able to add this as a media link and it will be embedded.
2. If you use the iframe embed that should make it through the HTML filters.

I don't think <embed> tags will work.

[cypherinfo]

Hello,
here is the ways youtube offers to embed a video: https://support.google.com/youtube/answer/171780?hl=en

1. Sorry I do not see any media link in the Ushahidi 2.7 editor or crowdmap deployment; may be you mean a simple link to the youtube video.
2. I tried the iframe embed by: adding the code in the code mode; it seems to work, it displays the video (and the play button on it) correctly when I preview it in the normal editor mode; but on saving the page the embed code (iframe or the code of the old ways to embed) the disappear.
   Thank you.

[aoduor]

I was using the iframe embed codes. Didn't work.

[prd-interarma]

Hello there,

I just wanted to bump this as I think that the ability to embed videos — particularly tutorial screencasts — directly within pages would be very useful. If it's possible/practical to raise this to a P2 priority level, I would appreciate that; alternatively, if someone can point me to the relevant file(s)/functions, I'd be happy to look into this myself.

Cheers,
Pete

[ditorelo]

Confirming behaviour:

• Embed video will work when video URL is pasted on "External Video Link" field
• Embed iframe will not work when pasted on the "Description" field for reports or "Page description" field for pages.

Having a look on what we can do.

[ditorelo]

I had a look and we need a wee change on the code make this work (requested on #1244).
Now, I'm very keen to get this reviewed and accepted before recommending any updates to live deployments.

I've also put a pull request on (#1245) to update the safe_iframe_regexp on the config template so it accepts Youtube's current embed code.

The only way to get this working for pages is use the HtmlPurifier class as the xss filtering tool. To enable that on live deployments you'll need to make the updates below together with the updates on #1244.

/application/config/config.php

    // Line 73 - Using htmlpurifier as default xss filter
    $config['global_xss_filtering'] = "htmlpurifier"; 

    // Line 177: #1245 updates the config template, this needs to be changed on live config
    $config['safe_iframe_regexp'] = '%^//(www.youtube.com/embed/|player.vimeo.com/video/|w.soundcloud.com/player!)%';

This should fix the embed issue for pages.
I would say the issue for the report details page is a wont-fix - we should be using the 'External Video Link' field for those.

I would like to reiterate that this touches on a couple of things that I don't have fully understanding off just yet and there might be unwanted consequences here. Keen to have @rjmackay review this before assuming it is a good fix. :)

[rjmackay]

Allowing iframe embeds in report description is a desired behaviour.. but fixing the safe_iframe_regexp config should be enough to resolve that.

I'm not sure on the global XSS clean fix.. I though Iframes made it through that anyway.. its only ever there as an extra layer, its actually quite easy to get around..

[ditorelo]

To allow for reports to have embed on the description we need to get the html::clean() function to accept the accept all the parameters for the iframe embeeds on config.allowed_html. I had a little trouble with that. Will have another look soon.