Elin Waring Blog
One of the most common questions about working with Joomla! 1.6 is how to embed video in articles. The reason this is a problem is that embedding inherently creates risks because of what might be embedded. It could contain malware of some kind, and even though it is safe today who knows what might happen in the future? This is why, the iframe tag which is commonly used to embed content is routinely stripped out of articles both by WYSIWYG editors and by the Joomla! input filter as a security measure. Letting just anyone insert an iframe could be a problem. So you do want to think carefully about who you allow to embed video on your site and what formats and host sites you allow.
Let's say you have decided the despite the inherent risk you want some embedded video? How can you do it? Naturally, there are a number of options. If you want to have lots of unsupervised users embedding things you probably will want to get a specialized plugin from the JED. A number of editors also have plugins for inserting videos
But let's say you just want a limited amount of video and you want to limit the ability to insert it to certain groups. So what to do? Two of the biggest video sites are Youtube.com and Vimeo.com and they both use iframes for embedding. If you copy and past their embed codes into TinyMCE, they will actually be filtered twice, first by the editor and then by the Joomla input filters.
There are two ways to approach solving this problem. First, remove the filters. The second is to use the built in Joomla! iframe handler, the wrapper module.
If you chose to remove filters, you need to take two steps.
1. In the TinyMCE plugin, on the lower right side of the page, remove iframe from the list of prohibited elements.
The real reason that people have noticed this issue in 1.6+ is that the handling of the input filters has changed slightly. Previously super administrators by default did not have their input filtered. This meant that they could include iframe or object tags as long as they weren't running into filtering by the editor (usually people would suggest using no editor for doing this). In 1.6+ you need to set this yourself by going to the article manager and clicking on Options. Then go to the Text Filters tab and change the filter for the group(s) you want to allow to insert video to No Filtering. This is leaving the door wide open so you should be absolutely certain that the people in this group are trustworthy.
The other alternative that does not leave the door wide open is to use a wrapper module. Now, I never even knew that the wrapper module existed until I started working on sample data for 1.6, but since I discovered it I use it all the time for embedding in 1.5 and 1.6+. Basically the wrapper module provides a context for loading an iframe by providing a place for pasting the url that you find in the embed code src attribute, for example http://www.youtube.com/embed/JkDqrYh1j1g. You can also take the height and width from the embed code and you can, of course, apply a module suffix and so on. Then use it in the normal way you use any module. So below I have used loadposition to load two wrapper modules one embedding video from Youtube and the other from Vimeo.
Obviously you need access to the module manager to be able to do this, but still, giving someone access to the module manager is a lot safer than letting them insert script tags in your site content.