Should audio and video tags be allowed?

riking · February 14, 2014, 4:36am

I was just going over the html sanitizer whitelist and wasn’t sure what to do about <audio> and <video>.

It seems that they do, in fact, work, but only if you specify src= in the audio tag, not in source tags.

This works:

<audio controls autoplay src="https://wiki.teamfortress.com/w/images/6/6c/Spy_DominationDemoMan07.wav?t=20100625234555"></audio>
<video controls autoplay loop src="https://tehurn.com/media/LUIGI_9001_SUPER_SWAGG_XXXX.mp4" >

Click to expand the audio/video

(TF2 Spy voice reaction and end of Luigi’s Mansion plus Twitch chat jokes on top of Numa Numa, respectively.)

But this doesn’t:

<video controls autoplay>
  <source src="https://wiki.teamfortress.com/w/images/e/e9/Spy_specialcompleted04.wav?t=20100625234706" type="audio/x-wav">
</video>
<video autoplay loop>
  <source src="https://tehurn.com/media/LUIGI_9001_SUPER_SWAGG_XXXX.webm" type="video/webm">
  <source src="https://tehurn.com/media/LUIGI_9001_SUPER_SWAGG_XXXX.mp4" type="video/mp4">
</video>

What to do?

Also note that “autoplay” doesn’t actually do anything on a Discourse site.

codinghorror · February 14, 2014, 5:39am

No, these should not be allowed.

If you want audio or video, oneboxing should work.

riking · February 14, 2014, 5:47am

Removing more stuff from the sanitizer whitelist by riking · Pull Request #1948 · discourse/discourse · GitHub

matt_mcneil · December 2, 2014, 6:41pm

Sorry to revive this old topic; I couldn’t find any answers to my question in newer topics.

Re: using Oneboxing as a solution, my goal is to be able to self-host some private video content (mp4). (One of the goals is to be able to use Discourse’s authorization/group-based access controls).

I think something as simple as this would normally work for me:

<video width="320" height="240" controls>
  <source src=""/uploads/default/172/4158c00ffee987c5.mp4"" type="video/mp4">
</video>

I understand how to use the Onebox feature for hosting via YouTube etc, but how can I replicate similar functionality for self-hosted video?

Thanks much!
Matt

thangngoc89 · December 2, 2014, 8:02pm

You have to use a HTML file with OpenGraph or oEmbed and your domain (which contains your HTML files) is whitelisted

matt_mcneil · December 2, 2014, 10:14pm

Thanks for the reply. I’m not sure I understand your proposed solution though. I’d just like to be able to embed a HTML 5 video player (for content that’s already been uploaded to the same Discourse instance/domain) in an ordinary Discourse topic or post. Creating an hosting a separate HTML file to accomplish this seems like a bit too much work. Any other ideas? eg a graceful way to expand the whitelist of allowable HTML tags to include VIDEO?

codinghorror · December 3, 2014, 1:37am

Works fine for me?

Mod edit: removed broken link

Just paste the URL on a line by itself. Perhaps you are overthinking this?

matt_mcneil · December 3, 2014, 5:30pm

Hi Jeff, thanks much for the reply! Unfortunately, your solution doesn’t seem to work for videos self-hosted as uploads on our Discourse site. As you can see below, the robot video mp4 from techslides.com works fine but the same video when hosted on our site community.cfmhome.org renders only as a bare link. (Even though clicking on that bare link will immediately download the file). Is there some setting I have configured incorrectly?

Any further suggestions?
Thanks!

mcwumbly · December 3, 2014, 5:35pm

testing that link from meta:

https://community.cfmhome.org/uploads/default/172/4158c00ffee987c5.mp4

Works here, so maybe its just an issue if its hosted on the same site?

thangngoc89 · December 3, 2014, 5:37pm

@mcwumbly Work in my site too. Did you on lastest version of Discourse

matt_mcneil · December 3, 2014, 5:55pm

Thanks all for the replies!

@mcwumbly Yes, I too was wondering if there might be a same-site restriction? Can you confirm if this is intentional @codinghorror or @sam?

As a side note, this points to one of my goals, which was to have some files which could only be downloaded if the user had access to a particular group. I’ve seen the Site Setting about disallowing anon users from downloading site assets, but I’m guessing that there’s no current way for Discourse to know which category a file was uploaded to and then restrict download access based on group permissions. This question probably deserves a separate topic however…

@thangngoc89, yes, we’re on the latest verison (1.2.0.beta3)

riking · December 3, 2014, 10:39pm

Yup. Uploads are named by SHA hash, so if someone downloads a file and uploads it somewhere else, it has the exact same filename (and file, but that was a given).

ben_ · February 2, 2015, 7:32am

I’m experiencing this issue too; where videos (in my case .mov files) will embed if they are hosted externally, but will not if they are on the same server.

A related issue I have is that videos emailed-in are only recognised as downloadable files / attachments, and a download / attachment link is added to the post body instead of a video embed.

codinghorror · December 23, 2015, 7:00pm

Can you add the internal video file link scenario to your list @techapj? I agree that for .mp4 files uploaded locally the video onebox should work.

simon · December 24, 2015, 6:45am

Could this be made to work with audio files as well?

techAPJ · December 24, 2015, 8:24pm

Okay, done!

https://github.com/discourse/discourse/commit/3a28bafc0f233710cff868319eb7f70672f53bad

Topic		Replies	Views
Twitter (and Dailymotion) video onebox autoplays without user interaction bug	24	5037	May 9, 2017
Video embeds from facebook.com and other sites fail bug	25	4918	May 6, 2020
Remove Dropbox Onebox For Audio Links feature	16	1922	August 31, 2021
Disable media download in onebox support	17	1577	January 14, 2022
Onebox not embedding locally uploaded media files bug	14	3183	January 1, 2016

Should audio and video tags be allowed?

Related Topics