We are adding embeddable content that users can add. This opens up for a lot of exploits, and i want to start minimizing the potential damage.
First off I need to make sure the embeddable string starts with either <iframe>
or <object>
and ends with </iframe>
or </object>
Found this: https://stackoverflow.com/questions/28118798/how-can-i-check-a-string-is-iframe-tag-by-php-functions
but I need to rewrite it, and I'm at a loss.
$string = '<iframe src="sourceurl"></iframe>';
$test = strpos($string,'<iframe');
if (!empty($test)) {
echo 'That has an iframe!!';
} else {
echo 'There's no iframe in there...';
}
How do I attack this? And on a sidenote, should I just scrap object embeds? They feel highly vulnerable..