I want to enable users to submit video links in a post/comment and render it as embedded videos.
For example, youtube supplies code for embedding videos, something like:
<iframe width="420" height="345" src="http://www.youtube.com/embed/Rr6PWlOgPrs" frameborder="0" allowfullscreen></iframe>
If a user puts the above code fragment in a comment, how do I render it correctly?
Django auto-escapes all HTML tags, so by default the above code wouldn't work. But if I disable auto-escaping then I'd open a ton of security risks.
What's the best way of handling this?
What I do on my site is have users submit a link to the YouTube video. No embed stuff, just the link. Then I use the oEmbed API to ask YouTube for the embed HTML code for the given link. If you trust YouTube, you can then use the HTML they give you without escaping it.
I've been doing this for 6 months now, it works really great.