How to Embed Flickr, YouTube, or MySpace Content

Normally, Plone will not allow you to paste the code necessary to embed videos, slideshows or music players from popular websites such as Flickr, YouTube and MySpace. Learn how to adjust the HTML filtering to allow this content.

The steps required to enable embeddable content differ between Plone 2.5 and Plone 3.0.  Please consult the appropriate section of this document for your version of Plone.

 

Important security note

Making these configuration changes has serious security implications for your site.  Plone filters out the tags that are used for HTML embedding for a good reason: they can be abused by your site users to create privilege escalation attacks.  If you have untrusted people allowed to create content on your Plone site, then a malicious person could create some "nasty" Javascript in some content, then trick a person with Admin rights into viewing that content. That "nasty" Javascript can now do HTTP requests to interact with the Plone site with the full Admin rights granted to the trusted user. 

Bottom line: do not use this techniques to enable embeddable content in your Plone site unless you are certain that you absolutely trust all users who are allowed to create content in your site.

 

Plone 2.5

First, you must access the ZMI

Then go to portal_transforms -> safe_html

Now, notice the so-called "nasty_tags" : applet, embed, object, and script.

You must look at the code you are trying to use and determine which of these tags are in that code. Embed, object, and param are probably the most common.

There are two columns, tag and value. For the tags you want to allow, erase both the tag name and value.

Now, you must also explicitly allow those tags. Scroll a bit further down and notice the large list of "valid_tags".

At the very bottom should be a few empty cells for you to enter new valid_tags. Put the tag in the left column cell, and a 1 in the right column cell (use a zero if the tag in question does not use a closing tag, such as a br tag).

Now click Submit Query down at the end of the page.

 
You should now be able to paste in the HTML you need. Here an example of some embedding code from YouTube

<object width="425" height="350">
<param name="movie" value="http://www.youtube.com/v/ydLiasdJeoo">
</param>
<param name="wmode" value="transparent">
</param>
<embed src="http://www.youtube.com/v/ydLiasdJeoo" type="application/x-shockwave-flash" wmode="transparent" width="425" height="350">
</embed>
</object>

 

Note about Kupu versions: If you are using a version of Kupu prior to 1.4, you must make another configuration adjustment to allow for the use of the embed tag. Since embed is technically not a valid HTML tag, you must alter the
kupu/common/kupucontentfilters.js object. Note that you may need to reinstall Kupu for the patch to take effect. Be sure you have a backup of your Kupu configuration before doing this.

Instructions for doing so are here:
http://dev.plone.org/plone/attachment/ticket/5189/kupu_embed.diff

 

 

Plone 3.0

In Plone 3.0, all of these settings have been moved into the Plone UI.

First, go to Site Setup>Visual Editor then click on the Toolbar tab.

  • Enable the checkbox next to "Embed tab in External link drawer"
  • Scroll down to the bottom of the screen and click "Save"

Then, go to Site Setup > HTML Filtering

  • Remove "Object" and "Embed" from the "Nasty Tags" list
  • Remove "Object" and "Param" from the "Stripped Tags" list
  • Add "Embed" to the "Custom Tags" list
  • Scroll down to the bottom of the screen and click "Save"

 

With these changes made, you should be able to click the External Link button, and click on the now-visible "Embed External Object" tab.  This will let you paste in a chunk of embedding code from YouTube, Flickr or other services.

 

Example of this is action

Posted by David Averill at Sep 20, 2007 10:07 PM
We also did some documentation on this at http://learnplone.org/[…]/using-flickr-slideshow-in-plone

Como insertar contenido de Flickr, YouTube, o MySpace en Plone

Posted by Roberto Allende at Mar 20, 2008 09:19 PM
http://plone.org/[…]/contenido-flickr-youtube-o-myspace-en-plone

This howto is available in Spanish

How to do it in the code

Posted by Lucie Lejard at Mar 24, 2008 07:05 PM
we put the following in an upgrade step (in Plone 3.0 site), so that we don't have to do it by hand each time we use a clean datafs:

def updatePortalTransforms(context):
    pt = getToolByName(context, 'portal_transforms')
    safe_html = pt['safe_html']
    nasty_tags = safe_html.get_parameter_value('nasty_tags')
    to_remove = ['embed', 'object']
    
    new_nasty_tags ={}
    new_valid_tags = safe_html.get_parameter_value('valid_tags')
    for tag in nasty_tags.keys():
        if tag not in to_remove:
            new_nasty_tags[tag] = nasty_tags[tag]
        else:
            new_valid_tags[tag] = nasty_tags[tag]
    
    kwargs = {}
    kwargs['nasty_tags'] = new_nasty_tags
    kwargs['valid_tags'] = new_valid_tags
    for k in list(kwargs):
        if isinstance(kwargs[k], dict):
            v = kwargs[k]
            kwargs[k+'_key'] = v.keys()
            kwargs[k+'_value'] = [str(s) for s in v.values()]
            del kwargs[k]
    safe_html.set_parameters(**kwargs)
    safe_html._p_changed = True

Another way

Posted by Tim Godfrey at Aug 06, 2008 07:47 AM
This way also seems to work fine:

        toAllow = ('embed', 'object')

        for tag in toAllow:
            try:
                safe_html._config['valid_tags'][tag] = 1
                del safe_html._config['nasty_tags'][tag]
            except KeyError:
                pass

        safe_html._p_changed = True

Embed PDF files

Posted by Zoltan Soos at Feb 19, 2009 04:49 AM
Similar code can be used to embed PDF files into a page:

---------------------------------------------
<object width="800" height="600">
<param name="pdf" value="/path-to-pdf/Generic.pdf">
<embed src="/path-to-pdf/Generic.pdf" type="application/x-pdf" wmode="transparent" width="800" height="600">
</object>
---------------------------------------------
This code will display the Generic.pdf file in an 800px by 600px window, provided the safe_html and Kupu setting described above are correctly configured.

One more tip: to make the PDF use the whole (800x600) window area, just save it from Acrobat using
 File -> Properties _> Initial View
    Magnification: Fit Page
      and
    Hide tool bars
    Hide window controls
if applicable.

I could not figure out how to "fit to window" the embedded PDF...

Embed PDF files

Posted by Max Bloechle at Mar 28, 2009 05:53 PM
I use the following code to embed pdf files into the file view (file_view.pt):
<div tal:condition="python: content_type=='application/pdf'">
  <object tal:attributes="data here/id" type="application/pdf" width="720" height="460">
    To see a preview you need to install the pdf plugin!
  </object>
</div>
Using the object tag is valid XHTML.