Commit Graph

10 Commits

Author SHA1 Message Date
Sergey Biryukov c9f57045c7 Grouped backports to the 4.4 branch.
- Media: Prevent CSRF setting attachment thumbnails.
- Embeds: Add protocol validation for WordPress Embed code.

Merges [55763] and [55764] to the 4.4 branch.
Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad.
Built from https://develop.svn.wordpress.org/branches/4.4@55779


git-svn-id: http://core.svn.wordpress.org/branches/4.4@55291 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-05-16 15:38:21 +00:00
desrosj a64be2cd83 Build/Test Tools: Support NodeJS 14.x in the 4.4 branch.
This updates the 4.4 branch to support the latest LTS version of NodeJS (currently 14.x), allowing the same version to be used across all WordPress branches that receive security updates as a courtesy.

Because older branches use (really) old versions of NodeJS, the local Docker environment cannot be backported since the needed dependencies will not run on these older versions (see #48301). This also blocks the ability to move automated testing over to GitHub Actions (see #50401).

This also replaces the `npm-shrinkwrap.json` with a `package-lock.json` file. Lock files were not supported in earlier versions of NPM, but can now be used.

In addition to backporting the package updates that happened after branching 4.4, dependencies that were removed in future releases have also been updated to their latest versions.

Props desrosj, dd32, netweb, jorbin.
Merges [35859,35862,36860-36865,36935,36978-36979,37017,37019-37020,37212,37612,38111,38688,39110,39113-39119,39478,42460-42461,42463,42887,43320,43323,43977,44219,44233,44728,45321,45765,46404,46408-46409,47404,47867-47869,47872-47873,48705,49636,49933,49937,49939,50017,50126,50176,50185,50192] to the 4.4 branch.
See #52341.
Built from https://develop.svn.wordpress.org/branches/4.4@50210


git-svn-id: http://core.svn.wordpress.org/branches/4.4@49881 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-02-05 04:23:43 +00:00
Aaron Campbell 78462a6178 oEmbed: Add extra hardening around allowed HTML for improved sandboxing.
Merges [41448] to 4.4 branch.


Built from https://develop.svn.wordpress.org/branches/4.4@41455


git-svn-id: http://core.svn.wordpress.org/branches/4.4@41288 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-19 13:51:01 +00:00
Dominik Schilling 3f478808ae Embeds: URL encode YouTube video IDs for broader compatibility.
Merge of [40160] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@40164


git-svn-id: http://core.svn.wordpress.org/branches/4.4@40103 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-03-06 12:06:34 +00:00
Pascal Birchler 0a517e47ec Embeds: Improve performance when embedding a post from the current site.
When the post being embedded is from the same site, there's no reason to do an HTTP request for it. The data can be fetched directly using `get_oembed_response_data()`.

Merge of [37708], [37710] and [37729] to the 4.4 branch.

Fixes #36767.
Built from https://develop.svn.wordpress.org/branches/4.4@37798


git-svn-id: http://core.svn.wordpress.org/branches/4.4@37763 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:42:29 +00:00
Pascal Birchler eb51235b19 Embeds: Improve how iframes are loaded after being initially hidden.
Use a more accessible way to initially hide the iframe. After that, only display an iframe when it was successfully loaded.

Merge of [36648] and [36708] to the 4.4 branch.

Fixes #35894.
Built from https://develop.svn.wordpress.org/branches/4.4@37093


git-svn-id: http://core.svn.wordpress.org/branches/4.4@37060 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-30 10:57:27 +00:00
Gary Pendergast 9f78d3f9c3 Embeds: Don't show embed discovery link on a static front page.
There's currently no iframe content being generated for a static front page. Giving out a link to that isn't an ideal user experience.

Props peterwilsoncc.

Merge of [36059] to the 4.4 branch.

Fixes #35194.


Built from https://develop.svn.wordpress.org/branches/4.4@36060


git-svn-id: http://core.svn.wordpress.org/branches/4.4@36025 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-22 10:55:26 +00:00
Scott Taylor 8cf8e2c66d WP oEmbed: validate the `secret` send via `postMessage` in `wp.receiveEmbedMessage`. Also, compare `window` instances.
In the data sent to us from the embedded iframe by postMessage(), the secret value is being used directly in a document.querySelectorAll() call without first being validated or escaped.

In theory, this could lead to some broken embeds.

Props mdawaffe.
Fixes #34831.

Built from https://develop.svn.wordpress.org/trunk@35761


git-svn-id: http://core.svn.wordpress.org/trunk@35725 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-03 20:17:25 +00:00
Dominik Schilling 22fe87c3b3 Build: Update source for `includes:embed` after [35718].
See #33413.
Built from https://develop.svn.wordpress.org/trunk@35720


git-svn-id: http://core.svn.wordpress.org/trunk@35684 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-20 15:37:26 +00:00
Andrew Nacin 1579e45d41 Simplify the include graph after work to split out classes.
see #33413. More details there.

Built from https://develop.svn.wordpress.org/trunk@35718


git-svn-id: http://core.svn.wordpress.org/trunk@35682 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-20 07:24:30 +00:00