As reported initially on http://codeigniter.com/forums/viewthread/80473/

A patch is included in the original post.

IMHO the XML-RPC engine should respect the user’s settings for XSS protection, or allow another setting to control this. Any users of remote weblog editors will be very confused as to why their embeds work when pasted into the web editor but not when sent through the program.

I can see the argument for CI, but in ExpressionEngine, we take a very firm stance that any input that comes from outside of the control panel (say, via the Blogger API) is subject to extra scrutiny.

Thanks for the clarification, Derek.

What would you suggest we recommend for users of our application who wish to post embedded content through the application? I found one plugin for youtube, but am a bit skittish about recommending an unofficial plugin for our users.

The YouTube/Google Video plugin that was written by a community member is pretty safe, the developer had input from us to make sure things were buttoned down.  He just hasn’t submitted it to the repository for one reason or another.

My personal opinion is that things such as embed / object tags never belong in entries; that belongs in a template, and the content author would be entering into a field simply a URL, or in the case of YouTube, a unique identifier that the template constructs the URL from.  This is a design pattern that I follow of separating presentation from content, and in this case has the added affordability of security, and not asking content authors to understand the obtuse embed/object markup.