YouTubeIt should handle escaping data sent to YouTube

[KieranP]

YoutTubeIt::Upload::VideoUpload#video_xml should take care of escaping content before sending it to YouTube, else content with < or > gets rejected. Rather than manually making the user do this, youtube_it could do it automatically.

I don't have time to make a patch, but here is how I would implement it:

class YoutTubeIt::Upload::VideoUpload
  def escape(content)
    CGI::escapeHTML(content) if content
  end
end

Then, within YoutTubeIt::Upload::VideoUpload#video_xml, change lines like:

mg.tag!("media:description", @opts[:description], :type => "plain")

to

mg.tag!("media:description", escape(@opts[:description]), :type => "plain")

Do that for title, description, keywords, category, and dev_tag.

[chebyte]

mmm I think that you need to escape the text in your app, youtube supposed that you are sending safe text

[KieranP]

I disagree. youtube_it should handle the escaping. Why should my app have to know escaping characters? I should be able to pass it to youtube_it, and it will make the content valid for YouTube.

[kylejginavan]

The application layer (Rails, Sinatra) and more specifically ORMs (ActiveRecord) should handle this for your DB or any other data source. For example, the Rails will handles when executing queries via Active Record. With that said, it is easy to go around ActiveRecord. Off hand I think you can run text.safe_html before it is sent to youtube or your DB. Furthermore, I think that YouTube will parse the text too. For example, if you send as text < script >, YouTube will not run this script.

With that said, if the community feels this is important (via some +1 action) I will do what is best. Thank you for getting involved and letting your voice be heard.