# Embedding A Video

There may be situations where you would like to embed external media such as videos or other web-based html into your forms. This type of embedding can expose your forms to XSS vulnerabilities within your application. 

To safely embed HTML, apply the [**Form.io Santize Config**](https://github.com/formio/formio.js/wiki/Form-Sanitize-Config) within your application settings. This code is a security mechanism that removes unsafe and potentially malicious content from raw HTML strings before presenting them to the end-user. Below is an example of applying the Sanitize Configuration to an embedded form within the application code. The video embed URL was applied to the [**Content**](https://help.form.io/userguide/forms/form-building/form-components/layout-components#content) component on the form level.

```javascript
    window.onload = function() {
    Formio.createForm(document.getElementById('formio'), 
    'https://khvenypsypifjpi.form.io/embed2', 
        {
          sanitizeConfig: {
          allowedAttrs: ['ref', 'src', 'url', 'data-oembed-url'],
          allowedTags: ['iframe', 'oembed'],
          addTags: ['iframe', 'oembed'],
          addAttr: ['url', 'data-oembed-url']
        }
       });
 };
```

{% hint style="info" %}
Form.io utilizes the [**DOMPurify**](https://github.com/cure53/DOMPurify#can-i-configure-dompurify) library to generate the sanitized configurations, please follow the link for more details. 
{% endhint %}

Since the configuration is applied to the application code, the HTML will not render within the Form.io project, but will successfully display within the application for the end user.

{% embed url="<https://codepen.io/JeriahFormio/pen/KKrvRyo>" %}