Re: Questions to the Administrator
Reply #163 –
Just to be clear, the iframe is constructed as
<iframe src="//www.youtube.com/embed/>>>extracted YouTube ID goes here<<<">
The img is constructed as
<img src="basically anything that starts with http(s)://">
In both cases something like urlencode is used to further secure the entered data.
Anyway, what I mean is that unless I'm mistaken, either YouTube will 404 or you'll have "><script>evilFunction();</script> regardless of whether someone tried to use IMG or VIDEO. That being said, I'll exchange the relevant part of the regex with [\w-]{6,16} just in case.
Any opinions on Vimeo or other sites?