Just finished an awesome book on Web App Security, and I've got a security question. I'd like to allow users to share videos on my website. I don't have a problem restricting them to youtube and vimeo embedding, saves me the storage anyways, but I don't want untrusted code running on site.
So, what's the best way to do this?
FYI, I'm using express.js on top of node.js and couchdb for a database.
What untrusted code are you referring to? You can store references to external videos in your database, and just use them to embed a player in your views. No code from Youtube or Vimeo needs to run on your server to accomplish this. The Youtube API also enables you to allow users to upload videos directly to Youtube from the browser, without proxying through your webserver. This means users can upload and embed youtube videos without any 3rd party code on the server side of your application.
To create your links from a video id, you could simply use:
var directLink = "http://youtube.com/watch?v={0}".format(videoId);
var embedLink = "http://youtube.com/embed/watch?v={0}".format(videoId);
var shortLink = "http://youtu.be/watch?v={0}".format(videoId);