From c925b8915299cd033e781fa92d3d48b41967730a Mon Sep 17 00:00:00 2001 From: Gary Pendergast Date: Fri, 14 Dec 2018 03:20:37 +0000 Subject: [PATCH] Embeds: Filter HTML response in oEmbed proxy controller. Adapts the response from `WP_oEmbed_Controller::get_proxy_item()` so that the response is correctly filtered and embeds work properly in JavaSccript editors. Introduces new `get_oembed_response_data_for_url()` function for preparing internal oEmbed responses. Merges [43810] from the 5.0 branch to trunk. Props danielbachhuber, imath, swissspidy. Fixes #45142. Built from https://develop.svn.wordpress.org/trunk@44154 git-svn-id: http://core.svn.wordpress.org/trunk@43984 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/class-oembed.php | 6 +- wp-includes/class-wp-oembed-controller.php | 10 + wp-includes/embed.php | 251 +++++++++++---------- wp-includes/version.php | 2 +- 4 files changed, 140 insertions(+), 129 deletions(-) diff --git a/wp-includes/class-oembed.php b/wp-includes/class-oembed.php index e351ba8563..f2eb85e6ee 100644 --- a/wp-includes/class-oembed.php +++ b/wp-includes/class-oembed.php @@ -404,9 +404,9 @@ class WP_oEmbed { * * @since 2.9.0 * - * @param string $data The returned oEmbed HTML. - * @param string $url URL of the content to be embedded. - * @param array $args Optional arguments, usually passed from a shortcode. + * @param string|false $data The returned oEmbed HTML (false if unsafe). + * @param string $url URL of the content to be embedded. + * @param array $args Optional arguments, usually passed from a shortcode. */ return apply_filters( 'oembed_result', $this->data2html( $data, $url ), $url, $args ); } diff --git a/wp-includes/class-wp-oembed-controller.php b/wp-includes/class-wp-oembed-controller.php index b688601cdd..2b08516894 100644 --- a/wp-includes/class-wp-oembed-controller.php +++ b/wp-includes/class-wp-oembed-controller.php @@ -181,12 +181,22 @@ final class WP_oEmbed_Controller { $args['height'] = $args['maxheight']; } + // Short-circuit process for URLs belonging to the current site. + $data = get_oembed_response_data_for_url( $url, $args ); + + if ( $data ) { + return $data; + } + $data = _wp_oembed_get_object()->get_data( $url, $args ); if ( false === $data ) { return new WP_Error( 'oembed_invalid_url', get_status_header_desc( 404 ), array( 'status' => 404 ) ); } + /** This filter is documented in wp-includes/class-oembed.php */ + $data->html = apply_filters( 'oembed_result', _wp_oembed_get_object()->data2html( (object) $data, $url ), $url, $args ); + /** * Filters the oEmbed TTL value (time to live). * diff --git a/wp-includes/embed.php b/wp-includes/embed.php index 79305ef4af..976a42ef67 100644 --- a/wp-includes/embed.php +++ b/wp-includes/embed.php @@ -61,13 +61,11 @@ function wp_embed_unregister_handler( $id, $priority = 10 ) { * @return array Default embed parameters. */ function wp_embed_defaults( $url = '' ) { - if ( ! empty( $GLOBALS['content_width'] ) ) { + if ( ! empty( $GLOBALS['content_width'] ) ) $width = (int) $GLOBALS['content_width']; - } - if ( empty( $width ) ) { + if ( empty( $width ) ) $width = 500; - } $height = min( ceil( $width * 1.5 ), 1000 ); @@ -76,7 +74,7 @@ function wp_embed_defaults( $url = '' ) { * * @since 2.9.0 * - * @param int[] $size An array of embed width and height values + * @param array $size An array of embed width and height values * in pixels (in that order). * @param string $url The URL that should be embedded. */ @@ -133,8 +131,8 @@ function _wp_oembed_get_object() { */ function wp_oembed_add_provider( $format, $provider, $regex = false ) { if ( did_action( 'plugins_loaded' ) ) { - $oembed = _wp_oembed_get_object(); - $oembed->providers[ $format ] = array( $provider, $regex ); + $oembed = _wp_oembed_get_object(); + $oembed->providers[$format] = array( $provider, $regex ); } else { WP_oEmbed::_add_provider_early( $format, $provider, $regex ); } @@ -228,7 +226,7 @@ function wp_maybe_load_embeds() { */ function wp_embed_handler_youtube( $matches, $attr, $url, $rawattr ) { global $wp_embed; - $embed = $wp_embed->autoembed( sprintf( 'https://youtube.com/watch?v=%s', urlencode( $matches[2] ) ) ); + $embed = $wp_embed->autoembed( sprintf( "https://youtube.com/watch?v=%s", urlencode( $matches[2] ) ) ); /** * Filters the YoutTube embed output. @@ -397,13 +395,10 @@ function get_oembed_endpoint_url( $permalink = '', $format = 'json' ) { $url = rest_url( 'oembed/1.0/embed' ); if ( '' !== $permalink ) { - $url = add_query_arg( - array( - 'url' => urlencode( $permalink ), - 'format' => ( 'json' !== $format ) ? $format : false, - ), - $url - ); + $url = add_query_arg( array( + 'url' => urlencode( $permalink ), + 'format' => ( 'json' !== $format ) ? $format : false, + ), $url ); } /** @@ -454,7 +449,7 @@ function get_post_embed_html( $width, $height, $post = null ) { * minified JavaScript. If you need to debug it, please turn on SCRIPT_DEBUG * and edit wp-embed.js directly. */ - $output .= <<1e3)g=1e3;else if(~~g<200)g=200;f.height=g}if("link"===d.message)if(h=b.createElement("a"),i=b.createElement("a"),h.href=f.getAttribute("src"),i.href=d.value,i.host===h.host)if(b.activeElement===f)a.top.location.href=d.value}else;}},d)a.addEventListener("message",a.wp.receiveEmbedMessage,!1),b.addEventListener("DOMContentLoaded",c,!1),a.addEventListener("load",c,!1)}(window,document); JS; } @@ -522,13 +517,10 @@ function get_oembed_response_data( $post, $width ) { * @type int $max Maximum width. Default 600. * } */ - $min_max_width = apply_filters( - 'oembed_min_max_width', - array( - 'min' => 200, - 'max' => 600, - ) - ); + $min_max_width = apply_filters( 'oembed_min_max_width', array( + 'min' => 200, + 'max' => 600 + ) ); $width = min( max( $min_max_width['min'], $width ), $min_max_width['max'] ); $height = max( ceil( $width / 16 * 9 ), 200 ); @@ -563,6 +555,71 @@ function get_oembed_response_data( $post, $width ) { return apply_filters( 'oembed_response_data', $data, $post, $width, $height ); } + +/** + * Retrieves the oEmbed response data for a given URL. + * + * @since 5.0.0 + * + * @param string $url The URL that should be inspected for discovery `` tags. + * @param array $args oEmbed remote get arguments. + * @return object|false oEmbed response data if the URL does belong to the current site. False otherwise. + */ +function get_oembed_response_data_for_url( $url, $args ) { + $switched_blog = false; + + if ( is_multisite() ) { + $url_parts = wp_parse_args( wp_parse_url( $url ), array( + 'host' => '', + 'path' => '/', + ) ); + + $qv = array( 'domain' => $url_parts['host'], 'path' => '/' ); + + // In case of subdirectory configs, set the path. + if ( ! is_subdomain_install() ) { + $path = explode( '/', ltrim( $url_parts['path'], '/' ) ); + $path = reset( $path ); + + if ( $path ) { + $qv['path'] = get_network()->path . $path . '/'; + } + } + + $sites = get_sites( $qv ); + $site = reset( $sites ); + + if ( $site && (int) $site->blog_id !== get_current_blog_id() ) { + switch_to_blog( $site->blog_id ); + $switched_blog = true; + } + } + + $post_id = url_to_postid( $url ); + + /** This filter is documented in wp-includes/class-wp-oembed-controller.php */ + $post_id = apply_filters( 'oembed_request_post_id', $post_id, $url ); + + if ( ! $post_id ) { + if ( $switched_blog ) { + restore_current_blog(); + } + + return false; + } + + $width = isset( $args['width'] ) ? $args['width'] : 0; + + $data = get_oembed_response_data( $post_id, $width ); + + if ( $switched_blog ) { + restore_current_blog(); + } + + return $data ? (object) $data : false; +} + + /** * Filters the oEmbed response data to return an iframe embed code. * @@ -590,7 +647,7 @@ function get_oembed_response_data_rich( $data, $post, $width, $height ) { if ( 'attachment' === get_post_type( $post ) ) { if ( wp_attachment_is_image( $post ) ) { $thumbnail_id = $post->ID; - } elseif ( wp_attachment_is( 'video', $post ) ) { + } else if ( wp_attachment_is( 'video', $post ) ) { $thumbnail_id = get_post_thumbnail_id( $post ); $data['type'] = 'video'; } @@ -598,9 +655,9 @@ function get_oembed_response_data_rich( $data, $post, $width, $height ) { if ( $thumbnail_id ) { list( $thumbnail_url, $thumbnail_width, $thumbnail_height ) = wp_get_attachment_image_src( $thumbnail_id, array( $width, 99999 ) ); - $data['thumbnail_url'] = $thumbnail_url; - $data['thumbnail_width'] = $thumbnail_width; - $data['thumbnail_height'] = $thumbnail_height; + $data['thumbnail_url'] = $thumbnail_url; + $data['thumbnail_width'] = $thumbnail_width; + $data['thumbnail_height'] = $thumbnail_height; } return $data; @@ -737,7 +794,7 @@ function wp_filter_oembed_result( $result, $data, $url ) { $allowed_html = array( 'a' => array( - 'href' => true, + 'href' => true, ), 'blockquote' => array(), 'iframe' => array( @@ -767,14 +824,14 @@ function wp_filter_oembed_result( $result, $data, $url ) { $secret = wp_generate_password( 10, false ); $url = esc_url( "{$results[2]}#?secret=$secret" ); - $q = $results[1]; + $q = $results[1]; $html = str_replace( $results[0], ' src=' . $q . $url . $q . ' data-secret=' . $q . $secret . $q, $html ); $html = str_replace( '%2$s', + $link = sprintf( '%2$s', esc_url( get_permalink() ), /* translators: %s: Name of current post */ sprintf( __( 'Continue reading %s' ), '' . get_the_title() . '' ) @@ -882,23 +938,23 @@ function print_embed_styles() { ?> '', - 'path' => '/', - ) - ); - - $qv = array( - 'domain' => $url_parts['host'], - 'path' => '/', - ); - - // In case of subdirectory configs, set the path. - if ( ! is_subdomain_install() ) { - $path = explode( '/', ltrim( $url_parts['path'], '/' ) ); - $path = reset( $path ); - - if ( $path ) { - $qv['path'] = get_network()->path . $path . '/'; - } - } - - $sites = get_sites( $qv ); - $site = reset( $sites ); - - if ( $site && (int) $site->blog_id !== get_current_blog_id() ) { - switch_to_blog( $site->blog_id ); - $switched_blog = true; - } + if ( $data ) { + return _wp_oembed_get_object()->data2html( $data, $url ); } - $post_id = url_to_postid( $url ); - - /** This filter is documented in wp-includes/class-wp-oembed-controller.php */ - $post_id = apply_filters( 'oembed_request_post_id', $post_id, $url ); - - if ( ! $post_id ) { - if ( $switched_blog ) { - restore_current_blog(); - } - - return $result; - } - - $width = isset( $args['width'] ) ? $args['width'] : 0; - - $data = get_oembed_response_data( $post_id, $width ); - $data = _wp_oembed_get_object()->data2html( (object) $data, $url ); - - if ( $switched_blog ) { - restore_current_blog(); - } - - if ( ! $data ) { - return $result; - } - - return $data; + return $result; } diff --git a/wp-includes/version.php b/wp-includes/version.php index 8c27847531..cca28738e1 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -13,7 +13,7 @@ * * @global string $wp_version */ -$wp_version = '5.1-alpha-44153'; +$wp_version = '5.1-alpha-44154'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.