diff --git a/wp-admin/about.php b/wp-admin/about.php index 6dedb38b8c..672cc9043a 100644 --- a/wp-admin/about.php +++ b/wp-admin/about.php @@ -45,6 +45,26 @@ include( ABSPATH . 'wp-admin/admin-header.php' );
+ Version %s addressed some security issues.' ), + '4.8.22' + ); + ?> + the release notes.' ), + sprintf( + /* translators: %s: WordPress version */ + esc_url( __( 'https://wordpress.org/support/wordpress-version/version-%s/' ) ), + sanitize_title( '4.8.22' ) + ) + ); + ?> +
";
diff --git a/wp-includes/js/wp-embed.js b/wp-includes/js/wp-embed.js
index 3be0dc7245..d0a372662c 100644
--- a/wp-includes/js/wp-embed.js
+++ b/wp-includes/js/wp-embed.js
@@ -37,6 +37,7 @@
var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
+ allowedProtocols = new RegExp( '^https?:$', 'i' ),
i, source, height, sourceURL, targetURL;
for ( i = 0; i < blockquotes.length; i++ ) {
@@ -72,6 +73,11 @@
sourceURL.href = source.getAttribute( 'src' );
targetURL.href = data.value;
+ /* Only follow link if the protocol is in the allow list. */
+ if ( ! allowedProtocols.test( targetURL.protocol ) ) {
+ continue;
+ }
+
/* Only continue if link hostname matches iframe's hostname. */
if ( targetURL.host === sourceURL.host ) {
if ( document.activeElement === source ) {
diff --git a/wp-includes/js/wp-embed.min.js b/wp-includes/js/wp-embed.min.js
index 4d37bce0b5..57e22365c5 100644
--- a/wp-includes/js/wp-embed.min.js
+++ b/wp-includes/js/wp-embed.min.js
@@ -1 +1 @@
-!function(c,d){"use strict";var e=!1,n=!1;if(d.querySelector)if(c.addEventListener)e=!0;if(c.wp=c.wp||{},!c.wp.receiveEmbedMessage)if(c.wp.receiveEmbedMessage=function(e){var t=e.data;if(t.secret||t.message||t.value)if(!/[^a-zA-Z0-9]/.test(t.secret)){for(var r,a,i,s=d.querySelectorAll('iframe[data-secret="'+t.secret+'"]'),n=d.querySelectorAll('blockquote[data-secret="'+t.secret+'"]'),o=0;o