Medium.com allows you to paste a link into your post (a gist or YouTube video) and it will then fetch and embed that as an <iframe> with <script> tags.
How they can do that securely without opening themselves up to attackers inserting their own XSS code?
I presume they must do some sort of sanitization on the server side but how do they differentiate between trusted <iframe> and <script> tags that they have retrieved vs. others that may be inserted by an attacker?
I'd like to do something similar with Django and Medium Editor.
They use embed.ly which