Personal tools
You are here: Home Documentation How-tos How to Embed Flickr, YouTube, or MySpace Content
Support

Get Help

Join our chat rooms or support forums if you have more specific questions.

Plone Training
Learn how to design, build, and deploy a website in Plone through one of the numerous Plone training sessions around the world.
Find Plone training…
 
Document Actions

How to Embed Flickr, YouTube, or MySpace Content

This How-to applies to: Plone 3.0.x, Plone 2.5.x
This How-to is intended for: End Users, Site Administrators, Integrators, Customizers

Normally, Plone will not allow you to paste the code necessary to embed videos, slideshows or music players from popular websites such as Flickr, YouTube and MySpace. Learn how to adjust the HTML filtering to allow this content.

The steps required to enable embeddable content differ between Plone 2.5 and Plone 3.0.  Please consult the appropriate section of this document for your version of Plone.

 

Important security note

Making these configuration changes has serious security implications for your site.  Plone filters out the tags that are used for HTML embedding for a good reason: they can be abused by your site users to create privilege escalation attacks.  If you have untrusted people allowed to create content on your Plone site, then a malicious person could create some "nasty" Javascript in some content, then trick a person with Admin rights into viewing that content. That "nasty" Javascript can now do HTTP requests to interact with the Plone site with the full Admin rights granted to the trusted user. 

Bottom line: do not use this techniques to enable embeddable content in your Plone site unless you are certain that you absolutely trust all users who are allowed to create content in your site.

 

Plone 2.5

First, you must access the ZMI

Then go to portal_transforms -> safe_html

Now, notice the so-called "nasty_tags" : applet, embed, object, and script.

You must look at the code you are trying to use and determine which of these tags are in that code. Embed, object, and param are probably the most common.

There are two columns, tag and value. For the tags you want to allow, erase both the tag name and value.

Now, you must also explicitly allow those tags. Scroll a bit further down and notice the large list of "valid_tags".

At the very bottom should be a few empty cells for you to enter new valid_tags. Put the tag in the left column cell, and a 1 in the right column cell (use a zero if the tag in question does not use a closing tag, such as a br tag).

Now click Submit Query down at the end of the page.

 
You should now be able to paste in the HTML you need. Here an example of some embedding code from YouTube

<object width="425" height="350">
<param name="movie" value="http://www.youtube.com/v/ydLiasdJeoo">
</param>
<param name="wmode" value="transparent">
</param>
<embed src="http://www.youtube.com/v/ydLiasdJeoo" type="application/x-shockwave-flash" wmode="transparent" width="425" height="350">
</embed>
</object>

 

Note about Kupu versions: If you are using a version of Kupu prior to 1.4, you must make another configuration adjustment to allow for the use of the embed tag. Since embed is technically not a valid HTML tag, you must alter the
kupu/common/kupucontentfilters.js object. Note that you may need to reinstall Kupu for the patch to take effect. Be sure you have a backup of your Kupu configuration before doing this.

Instructions for doing so are here:
http://dev.plone.org/plone/attachment/ticket/5189/kupu_embed.diff

 

 

Plone 3.0

In Plone 3.0, all of these settings have been moved into the Plone UI.

First, go to Site Setup>Visual Editor then click on the Toolbar tab.

  • Enable the checkbox next to "Embed tab in External link drawer"
  • Scroll down to the bottom of the screen and click "Save"

Then, go to Site Setup > HTML Filtering

  • Remove "Object" and "Embed" from the "Nasty Tags" list
  • Remove "Object" and "Param" from the "Stripped Tags" list
  • Add "Embed" to the "Custom Tags" list
  • Scroll down to the bottom of the screen and click "Save"

 

With these changes made, you should be able to click the External Link button, and click on the now-visible "Embed External Object" tab.  This will let you paste in a chunk of embedding code from YouTube, Flickr or other services.

 

by Sam Knox last modified January 27, 2008 - 19:30
Contributors: jonstahl, kteague
All content is copyright Plone Foundation and the individual contributors.

Example of this is action

Posted by David Averill at September 20, 2007 - 22:07
We also did some documentation on this at http://learnplone.org/documentation/how-to/using-flickr-slideshow-in-plone

Como insertar contenido de Flickr, YouTube, o MySpace en Plone

Posted by Roberto Allende at March 20, 2008 - 21:19
http://plone.org/countries/conosur/documentacion/contenido-flickr-youtube-o-myspace-en-plone

This howto is available in Spanish

How to do it in the code

Posted by Lucie Lejard at March 24, 2008 - 19:05
we put the following in an upgrade step (in Plone 3.0 site), so that we don't have to do it by hand each time we use a clean datafs:

def updatePortalTransforms(context):
pt = getToolByName(context, 'portal_transforms')
safe_html = pt['safe_html']
nasty_tags = safe_html.get_parameter_value('nasty_tags')
to_remove = ['embed', 'object']

new_nasty_tags ={}
new_valid_tags = safe_html.get_parameter_value('valid_tags')
for tag in nasty_tags.keys():
if tag not in to_remove:
new_nasty_tags[tag] = nasty_tags[tag]
else:
new_valid_tags[tag] = nasty_tags[tag]

kwargs = {}
kwargs['nasty_tags'] = new_nasty_tags
kwargs['valid_tags'] = new_valid_tags
for k in list(kwargs):
if isinstance(kwargs[k], dict):
v = kwargs[k]
kwargs[k+'_key'] = v.keys()
kwargs[k+'_value'] = [str(s) for s in v.values()]
del kwargs[k]
safe_html.set_parameters(**kwargs)
safe_html._p_changed = True

For any issues with the web site functionality, please file a ticket.

Please consult the policy on plone.org content if you want your content published on this site.

Servers and hosting by