Embeds: Add a CDATA and HTML comment wrapper around the JavaScript included in the embed HTML. This ensures that user agents which naively strip unwanted tags, without also stripping the content within those tages (for example, Slack), don't show the embed as a mess of JavaScript.

Props peterwilsoncc.

Fixes #34429.


Built from https://develop.svn.wordpress.org/trunk@35406


git-svn-id: http://core.svn.wordpress.org/trunk@35370 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Gary Pendergast 2015-10-26 23:55:26 +00:00
parent 1acf9e9e49
commit 1f8e6268d3
2 changed files with 3 additions and 1 deletions

View File

@ -466,6 +466,7 @@ function get_post_embed_html( $post = null, $width, $height ) {
$embed_url = get_post_embed_url( $post );
$output = "<script type='text/javascript'>\n";
$output .= "<!--//--><![CDATA[//><!--\n";
if ( SCRIPT_DEBUG ) {
$output .= file_get_contents( ABSPATH . WPINC . '/js/wp-embed.js' );
} else {
@ -483,6 +484,7 @@ function get_post_embed_html( $post = null, $width, $height ) {
!function(a,b){"use strict";function c(){var a=-1!==navigator.appVersion.indexOf("MSIE 10"),c=!!navigator.userAgent.match(/Trident.*rv\:11\./);if(a||c)for(var d,e=b.querySelectorAll(".wp-embedded-content[security]"),f=0;f<e.length;f++)d=e[f].cloneNode(!0),d.removeAttribute("security"),e[f].parentNode.insertBefore(d,e[f].nextSibling),e[f].parentNode.removeChild(e[f])}a.wp=a.wp||{},a.wp.receiveEmbedMessage||(a.wp.receiveEmbedMessage=function(c){var d=c.data;if(d.secret||d.message||d.value)for(var e=b.querySelectorAll('.wp-embedded-content[data-secret="'+d.secret+'"]'),f=0;f<e.length;f++){var g=e[f];if("height"===d.message){var h=d.value;h>1e3?h=1e3:200>h&&(h=200),g.height=h+"px"}if("link"===d.message){var i=b.createElement("a"),j=b.createElement("a");i.href=g.getAttribute("src"),j.href=d.value,j.host===i.host&&b.activeElement===g&&(a.top.location.href=d.value)}}},a.addEventListener("message",a.wp.receiveEmbedMessage,!1),b.addEventListener("DOMContentLoaded",c,!1))}(window,document);
JS;
}
$output .= "\n//--><!]]>";
$output .= "\n</script>";
$output .= sprintf(

View File

@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
$wp_version = '4.4-beta1-35405';
$wp_version = '4.4-beta1-35406';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.