If you want to allow users to embed Youtube videos in a CMS you can’t allow them to include the complete Youtube embed or iframe Code.

Because of vulnerability of injecting an unwanted code, users can, in the worst case, shoot your site.

We can solve this problem by taking the Youtube url, the Youtube embed or iframe code, or only the Youtube id and wrap it into an Iframe with our specific dimensions.

Here is an PHP 5 function which extracts the Youtube Id from all different types of user-inputs. And i think its user save.

Possible Inputs

With these user-inputs we have to count with:

  • nKhheto4L6k
  • http://youtu.be/nKhheto4L6k
  • http://www.youtube.com/watch?v=nKhheto4L6k&feature=fvsr
  • http://www.youtube.com/user/Google?blend=2&ob=5#p/a/u/2/QP5szEn2dxs (Channel Code)
  • http://www.youtube.com/user/Google?#p/a/u/2/QP5szEn2dxs (other Channel Code)
  • <iframe width=“560″ height=“349″ src=“http://www.youtube.com/embed/QP5szEn2dxs?rel=0″ frameborder=“0″ allowfullscreen></iframe> (new embed code)
  • <object width=“560″ height=“349″><param value=“http://www.youtube.com/v/QP5szEn2dxs?version=3&amp;hl=de_DE&amp;rel=0″></param><param name=“allowFullScreen“ value=“true“></param><param name=“allowscriptaccess“ value=“always“></param><embed src=“http://www.youtube.com/v/QP5szEn2dxs?version=3&amp;hl=de_DE&amp;rel=0″ type=“application/x-shockwave-flash“ width=“560″ height=“349″ allowscriptaccess=“always“ allowfullscreen=“true“></embed></object> (old embed code)

I think thats actually all the ways you can get a ressource from youtube.

	 * Function to parse the id from all different types of Youtube Embed Codes and Youtube Urls
	 * @author Andreas Grundner
	 * @date 22.07.2011
	 * @licence freeware
	 * @param string youtube url, embed code, share code, channel code ...
	 * @return string youtube_id
	function getYoutubeId($sYoutubeUrl) {

		# set to zero
		$youtube_id = "";
		$sYoutubeUrl = trim($sYoutubeUrl);

		# the User entered only the eleven chars long id, Case 1
		if(strlen($sYoutubeUrl) === 11) {
			$youtube_id = $sYoutubeUrl;
			return $sYoutubeUrl;

		# the User entered a Url
		else {

			# try to get all Cases
			if (preg_match('~(?:youtube.com/(?:user/.+/|(?:v|e(?:mbed)?)/|.*[?&]v=)|youtu.be/)([^"&?/ ]{11})~i', $sYoutubeUrl, $match)) {
		   		$youtube_id = $match[1];
		    	return $youtube_id;
			# try to get some other channel codes, and fallback extractor
			elseif(preg_match('~http://www.youtube.com/v/([A-Za-z0-9-_]+).+?|embed/([0-9A-Za-z-_]{11})|watch?v=([0-9A-Za-z-_]{11})|#.*/([0-9A-Za-z-_]{11})~si', $sYoutubeUrl, $match)) {

				for ($i=1; $i<=4; $i++) {
					if (strlen($match[$i])==11) {
						$youtube_id = $match[$i];
				return $youtube_id;
			else {
				$youtube_id = "No valid YoutubeId extracted";
				return $youtube_id;

Last thing to do is, to get the Youtube id (this function returns it) and wrap it into a iframe, or a embed Code.

<iframe allowfullscreen="" frameborder="0" height="187" src="http://www.youtube.com/embed/' .  getYoutubeId($youtubeUrl) . '?rel=0&amp;wmode=transparent&amp;hd=1" title="YouTube video player" width="250"></iframe>

Now we have complete control over our embeded movies. So take it and have fun :)