REST API: Add endpoint for proxying requests to external oEmbed providers.

This endpoint is a prerequisite for the media widgets work (see https://github.com/xwp/wp-core-media-widgets).

Also use the new endpoint in the media modal instead of the `parse-embed` AJAX action.

Props westonruter, timmydcrawford, swissspidy, jnylen0.
Fixes #40450.

Built from https://develop.svn.wordpress.org/trunk@40628


git-svn-id: http://core.svn.wordpress.org/trunk@40489 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-includes/class-oembed.php

@@ -318,6 +318,36 @@ class WP_oEmbed {
 		self::$early_providers['remove'][] = $format;
 	}
 
+	/**
+	 * Takes a URL and attempts to return the oEmbed data.
+	 *
+	 * @see WP_oEmbed::fetch()
+	 *
+	 * @since 4.8.0
+	 * @access public
+	 *
+	 * @param string       $url  The URL to the content that should be attempted to be embedded.
+	 * @param array|string $args Optional. Arguments, usually passed from a shortcode. Default empty.
+	 * @return false|object False on failure, otherwise the result in the form of an object.
+	 */
+	public function get_data( $url, $args = '' ) {
+		$args = wp_parse_args( $args );
+
+		$provider = $this->get_provider( $url, $args );
+
+		if ( ! $provider ) {
+			return false;
+		}
+
+		$data = $this->fetch( $provider, $url, $args );
+
+		if ( false === $data ) {
+			return false;
+		}
+
+		return $data;
+	}
+
 	/**
 	 * The do-it-all function that takes a URL and attempts to return the HTML.
 	 *
@@ -332,8 +362,6 @@ class WP_oEmbed {
 	 * @return false|string False on failure, otherwise the UNSANITIZED (and potentially unsafe) HTML that should be used to embed.
 	 */
 	public function get_html( $url, $args = '' ) {
-		$args = wp_parse_args( $args );
-
 		/**
 		 * Filters the oEmbed result before any HTTP requests are made.
 		 *
@@ -355,9 +383,9 @@ class WP_oEmbed {
 			return $pre;
 		}
 
-		$provider = $this->get_provider( $url, $args );
+		$data = $this->get_data( $url, $args );
 
-		if ( ! $provider || false === $data = $this->fetch( $provider, $url, $args ) ) {
+		if ( false === $data ) {
 			return false;
 		}
 

wp-includes/class-wp-oembed-controller.php

@@ -52,10 +52,51 @@ final class WP_oEmbed_Controller {
 				),
 			),
 		) );
+
+		register_rest_route( 'oembed/1.0', '/proxy', array(
+			array(
+				'methods'  => WP_REST_Server::READABLE,
+				'callback' => array( $this, 'get_proxy_item' ),
+				'permission_callback' => array( $this, 'get_proxy_item_permissions_check' ),
+				'args'     => array(
+					'url'      => array(
+						'description'       => __( 'The URL of the resource for which to fetch oEmbed data.' ),
+						'type'              => 'string',
+						'required'          => true,
+						'sanitize_callback' => 'esc_url_raw',
+					),
+					'format'   => array(
+						'description'       => __( 'The oEmbed format to use.' ),
+						'type'              => 'string',
+						'default'           => 'json',
+						'enum'              => array(
+							'json',
+							'xml',
+						),
+					),
+					'maxwidth' => array(
+						'description'       => __( 'The maximum width of the embed frame in pixels.' ),
+						'type'              => 'integer',
+						'default'           => $maxwidth,
+						'sanitize_callback' => 'absint',
+					),
+					'maxheight' => array(
+						'description'       => __( 'The maximum height of the embed frame in pixels.' ),
+						'type'              => 'integer',
+						'sanitize_callback' => 'absint',
+					),
+					'discover' => array(
+						'description'       => __( 'Whether to perform an oEmbed discovery request for non-whitelisted providers.' ),
+						'type'              => 'boolean',
+						'default'           => true,
+					),
+				),
+			),
+		) );
 	}
 
 	/**
-	 * Callback for the API endpoint.
+	 * Callback for the embed API endpoint.
 	 *
 	 * Returns the JSON object for the post.
 	 *
@@ -86,4 +127,69 @@ final class WP_oEmbed_Controller {
 
 		return $data;
 	}
+
+	/**
+	 * Checks if current user can make a proxy oEmbed request.
+	 *
+	 * @since 4.8.0
+	 * @access public
+	 *
+	 * @return true|WP_Error True if the request has read access, WP_Error object otherwise.
+	 */
+	public function get_proxy_item_permissions_check() {
+		if ( ! current_user_can( 'edit_posts' ) ) {
+			return new WP_Error( 'rest_forbidden', __( 'Sorry, you are not allowed to make proxied oEmbed requests.' ), array( 'status' => rest_authorization_required_code() ) );
+		}
+		return true;
+	}
+
+	/**
+	 * Callback for the proxy API endpoint.
+	 *
+	 * Returns the JSON object for the proxied item.
+	 *
+	 * @since 4.8.0
+	 * @access public
+	 *
+	 * @see WP_oEmbed::get_html()
+	 * @param WP_REST_Request $request Full data about the request.
+	 * @return WP_Error|array oEmbed response data or WP_Error on failure.
+	 */
+	public function get_proxy_item( $request ) {
+		$args = $request->get_params();
+
+		// Serve oEmbed data from cache if set.
+		$cache_key = 'oembed_' . md5( serialize( $args ) );
+		$data = get_transient( $cache_key );
+		if ( ! empty( $data ) ) {
+			return $data;
+		}
+
+		$url = $request['url'];
+		unset( $args['url'] );
+
+		$data = _wp_oembed_get_object()->get_data( $url, $args );
+
+		if ( false === $data ) {
+			return new WP_Error( 'oembed_invalid_url', get_status_header_desc( 404 ), array( 'status' => 404 ) );
+		}
+
+		/**
+		 * Filters the oEmbed TTL value (time to live).
+		 *
+		 * Similar to the {@see 'oembed_ttl'} filter, but for the REST API
+		 * oEmbed proxy endpoint.
+		 *
+		 * @since 4.8.0
+		 *
+		 * @param int    $time    Time to live (in seconds).
+		 * @param string $url     The attempted embed URL.
+		 * @param array  $args    An array of embed request arguments.
+		 */
+		$ttl = apply_filters( 'rest_oembed_ttl', DAY_IN_SECONDS, $url, $args );
+
+		set_transient( $cache_key, $data, $ttl );
+
+		return $data;
+	}
 }

wp-includes/js/media-views.js

@@ -4624,7 +4624,6 @@ EmbedLink = wp.media.view.Settings.extend({
 	}, wp.media.controller.Embed.sensitivity ),
 
 	fetch: function() {
-		var embed;
 
 		// check if they haven't typed in 500 ms
 		if ( $('#embed-url-field').val() !== this.model.get('url') ) {
@@ -4635,23 +4634,25 @@ EmbedLink = wp.media.view.Settings.extend({
 			this.dfd.abort();
 		}
 
-		embed = new wp.shortcode({
-			tag: 'embed',
-			attrs: _.pick( this.model.attributes, [ 'width', 'height', 'src' ] ),
-			content: this.model.get('url')
-		});
-
 		this.dfd = $.ajax({
-			type:    'POST',
-			url:     wp.ajax.settings.url,
-			context: this,
-			data:    {
-				action: 'parse-embed',
-				post_ID: wp.media.view.settings.post.id,
-				shortcode: embed.string()
-			}
+			url: wp.media.view.settings.oEmbedProxyUrl,
+			data: {
+				url: this.model.get( 'url' ),
+				maxwidth: this.model.get( 'width' ),
+				maxheight: this.model.get( 'height' ),
+				_wpnonce: wp.media.view.settings.nonce.wpRestApi
+			},
+			type: 'GET',
+			dataType: 'json',
+			context: this
 		})
-			.done( this.renderoEmbed )
+			.done( function( response ) {
+				this.renderoEmbed( {
+					data: {
+						body: response.html || ''
+					}
+				} );
+			} )
 			.fail( this.renderFail );
 	},
 

wp-includes/media.php

@@ -3414,6 +3414,7 @@ function wp_enqueue_media( $args = array() ) {
 		'captions'  => ! apply_filters( 'disable_captions', '' ),
 		'nonce'     => array(
 			'sendToEditor' => wp_create_nonce( 'media-send-to-editor' ),
+			'wpRestApi'    => wp_create_nonce( 'wp_rest' ),
 		),
 		'post'    => array(
 			'id' => 0,
@@ -3423,6 +3424,7 @@ function wp_enqueue_media( $args = array() ) {
 			'audio' => ( $show_audio_playlist ) ? 1 : 0,
 			'video' => ( $show_video_playlist ) ? 1 : 0,
 		),
+		'oEmbedProxyUrl' => rest_url( 'oembed/1.0/proxy' ),
 		'embedExts'    => $exts,
 		'embedMimes'   => $ext_mimes,
 		'contentWidth' => $content_width,

wp-includes/version.php

@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.8-alpha-40627';
+$wp_version = '4.8-alpha-40628';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.