Should audio and video tags be allowed?

(Kane York) #1

I was just going over the html sanitizer whitelist and wasn’t sure what to do about <audio> and <video>.

It seems that they do, in fact, work, but only if you specify src= in the audio tag, not in source tags.

This works:

<audio controls autoplay src=""></audio>
<video controls autoplay loop src="" >
Click to expand the audio/video

(TF2 Spy voice reaction and end of Luigi’s Mansion plus Twitch chat jokes on top of Numa Numa, respectively.)

But this doesn’t:

<video controls autoplay>
  <source src="" type="audio/x-wav">
<video autoplay loop>
  <source src="" type="video/webm">
  <source src="" type="video/mp4">

What to do?

Also note that “autoplay” doesn’t actually do anything on a Discourse site.

(Jeff Atwood) #2

No, these should not be allowed.

If you want audio or video, oneboxing should work.

(Kane York) #3

Removing more stuff from the sanitizer whitelist by riking · Pull Request #1948 · discourse/discourse · GitHub

(Matt McNeil) #4

Sorry to revive this old topic; I couldn’t find any answers to my question in newer topics.

Re: using Oneboxing as a solution, my goal is to be able to self-host some private video content (mp4). (One of the goals is to be able to use Discourse’s authorization/group-based access controls).

I think something as simple as this would normally work for me:

<video width="320" height="240" controls>
  <source src=""/uploads/default/172/4158c00ffee987c5.mp4"" type="video/mp4">

I understand how to use the Onebox feature for hosting via YouTube etc, but how can I replicate similar functionality for self-hosted video?

Thanks much!

(Khoa Nguyen) #5

You have to use a HTML file with OpenGraph or oEmbed and your domain (which contains your HTML files) is whitelisted

(Matt McNeil) #6

Thanks for the reply. I’m not sure I understand your proposed solution though. I’d just like to be able to embed a HTML 5 video player (for content that’s already been uploaded to the same Discourse instance/domain) in an ordinary Discourse topic or post. Creating an hosting a separate HTML file to accomplish this seems like a bit too much work. Any other ideas? eg a graceful way to expand the whitelist of allowable HTML tags to include VIDEO?

(Jeff Atwood) #7

Works fine for me?

Just paste the URL on a line by itself. Perhaps you are overthinking this? :wink:

(Matt McNeil) #8

Hi Jeff, thanks much for the reply! Unfortunately, your solution doesn’t seem to work for videos self-hosted as uploads on our Discourse site. As you can see below, the robot video mp4 from works fine but the same video when hosted on our site renders only as a bare link. (Even though clicking on that bare link will immediately download the file). Is there some setting I have configured incorrectly?

Any further suggestions?

(Dave McClure) #9

testing that link from meta:

Works here, so maybe its just an issue if its hosted on the same site?

(Khoa Nguyen) #10

@mcwumbly Work in my site too. Did you on lastest version of Discourse

(Matt McNeil) #11

Thanks all for the replies!

@mcwumbly Yes, I too was wondering if there might be a same-site restriction? Can you confirm if this is intentional @codinghorror or @sam?

As a side note, this points to one of my goals, which was to have some files which could only be downloaded if the user had access to a particular group. I’ve seen the Site Setting about disallowing anon users from downloading site assets, but I’m guessing that there’s no current way for Discourse to know which category a file was uploaded to and then restrict download access based on group permissions. This question probably deserves a separate topic however…

@thangngoc89, yes, we’re on the latest verison (1.2.0.beta3)

(Kane York) #12

Yup. Uploads are named by SHA hash, so if someone downloads a file and uploads it somewhere else, it has the exact same filename (and file, but that was a given).


I’m experiencing this issue too; where videos (in my case .mov files) will embed if they are hosted externally, but will not if they are on the same server.

A related issue I have is that videos emailed-in are only recognised as downloadable files / attachments, and a download / attachment link is added to the post body instead of a video embed.

Stripping incoming email attachments doesn't notify sender
(Jeff Atwood) #14

Can you add the internal video file link scenario to your list @techapj? I agree that for .mp4 files uploaded locally the video onebox should work.

(Simon Cossar) #15

Could this be made to work with audio files as well?

(Arpit Jalan) #16

Okay, done! :christmas_tree:

(Arpit Jalan) #17