Commit Graph

17 Commits

Author SHA1 Message Date
audrasjb d81f522a57 Embeds: Add protocol validation for WordPress Embed code.
Validate that links within auto-discovered embeds are using the `http` or `https` protocols before following links.

Props xknown, dd32, peterwilsoncc.


Built from https://develop.svn.wordpress.org/trunk@55763


git-svn-id: http://core.svn.wordpress.org/trunk@55275 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-05-16 14:25:21 +00:00
Weston Ruter 9038612705 Embeds: Conditionally enqueue `wp-embed` only if needed and send `ready` message in case script loads after post embed windows.
* Prevent loading `wp-embed` script unconditionally on every page in favor of conditionally enqueueing when a post embed is detected. The `wp-embed` script is also explicitly marked as being in the footer group. Sites which currently disable post embed scripts from being enqueued via `remove_action( 'wp_head', 'wp_oembed_add_host_js' )` will continue to do so.
* Send a `ready` message from the host page to each post embed window in case the `iframe` loads before the `wp-embed` script does. When the `ready` message is received by the post embed window, it sends the same `height` message as it sends when it loads.
* Eliminate use of `grunt-include` to inject emoji script and the post embed script. Instead obtain the script contents via `file_get_contents()` (as is done elsewhere in core) and utilize `wp_print_inline_script_tag()`/`wp_get_inline_script_tag()` to construct out the script. This simplifies the logic and allows the running of src without `SCRIPT_DEBUG` enabled.
* For the embed code that users are provided to copy for embedding outside of WP, add the `secret` on the `blockquote` and `iframe`. This ensures the `blockquote` will be hidden when the `iframe` loads. The embed code in question is accessed here via `get_post_embed_html()`.

Props westonruter, swissspidy, pento, flixos90, ocean90.
Fixes #44632, #44306.

Built from https://develop.svn.wordpress.org/trunk@52132


git-svn-id: http://core.svn.wordpress.org/trunk@51724 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-11-11 02:49:18 +00:00
Sergey Biryukov e1b0d4ed7a Embeds: After [43593], move the new check to a separate line to avoid `test_js_no_ampersands_in_compiled` failure caused by UglifyJS task.
See #44832.
Built from https://develop.svn.wordpress.org/trunk@43597


git-svn-id: http://core.svn.wordpress.org/trunk@43426 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-08-30 12:40:26 +00:00
Sergey Biryukov 07e2fba981 Embeds: Avoid a JS error in `wp.receiveEmbedMessage` if `data` parameter is not set.
Props dsifford, kadamwhite.
Fixes #44832.
Built from https://develop.svn.wordpress.org/trunk@43593


git-svn-id: http://core.svn.wordpress.org/trunk@43422 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-08-30 10:30:24 +00:00
atimmer bde558be2f Docs: Add file doc `@output` annotations.
These annotations make it clear to the reader of a JavaScript source
where the build process outputs to. These annotations can later be
integrated in a webpack configuration. This way there is one source of
truth.

The `build` folder is omitted from the paths, because a single JS file
shouldn't not be responsible of knowing where outputs in general will
end up at. A file only knows its output location relative to the
project.

Props adamsilverstein, herregroen, omarreiss, pento.
Fixes #44361.

Built from https://develop.svn.wordpress.org/trunk@43347


git-svn-id: http://core.svn.wordpress.org/trunk@43175 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-06-28 02:30:15 +00:00
Adam Silverstein 8a23b80b56 Docs: JSDoc improvements for namespaces.
Improve JS parsing of our inline JSDocs by introducing `@namespace`, `@lends` and `@memberOf`. Helps set the way for showing our JavaScript documentation on developer.wordpress.org, see https://meta.trac.wordpress.org/ticket/3063.

* Define all used namespaces using @namespace.
* Correctly specify in which namespace each class is using @memberOf.
* Define each usage of the extend function as a prototype assignment using @lends.
* Some comment blocks were moved to correct the parsing of certain definitions. 

Props herregroen, atimmer, netweb, SergeyBiryukov.  
Fixes #41682.

Built from https://develop.svn.wordpress.org/trunk@41351


git-svn-id: http://core.svn.wordpress.org/trunk@41184 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-09-08 18:42:49 +00:00
Pascal Birchler 98e8bf7ba2 Embeds: Correctly remove security attribute from iframes in IE 10 and IE 11.
This was originally added in 4.4, but presumably broke with [35708], which prevented these browsers from actually reaching the relevant code section.
Let's make embeds work again in IE 10 and IE 11.

Fixes #38694.
Built from https://develop.svn.wordpress.org/trunk@39347


git-svn-id: http://core.svn.wordpress.org/trunk@39287 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-11-23 13:38:33 +00:00
Pascal Birchler 0425e01d21 Embeds: Use a more accessible way to initially hide the iframe.
This fixes a bug in Firefox where assets inside the iframe aren't being displayed because they have no computed style.

See #35894.
Built from https://develop.svn.wordpress.org/trunk@36708


git-svn-id: http://core.svn.wordpress.org/trunk@36675 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-25 10:23:27 +00:00
Pascal Birchler 383c422527 Embeds: Only display an iframe when it was successfully loaded.
This prevents showing a blank iframe by first checking if a message was successfully received from it.

Fixes #35894.
Built from https://develop.svn.wordpress.org/trunk@36648


git-svn-id: http://core.svn.wordpress.org/trunk@36615 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-23 20:23:25 +00:00
Andrew Nacin 9834e9993a Embeds: Enforce, via unit tests, the no-ampersand rule for wp-embed.js.
fixes #34698.

Built from https://develop.svn.wordpress.org/trunk@35762


git-svn-id: http://core.svn.wordpress.org/trunk@35726 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-04 05:46:25 +00:00
Scott Taylor 8cf8e2c66d WP oEmbed: validate the `secret` send via `postMessage` in `wp.receiveEmbedMessage`. Also, compare `window` instances.
In the data sent to us from the embedded iframe by postMessage(), the secret value is being used directly in a document.querySelectorAll() call without first being validated or escaped.

In theory, this could lead to some broken embeds.

Props mdawaffe.
Fixes #34831.

Built from https://develop.svn.wordpress.org/trunk@35761


git-svn-id: http://core.svn.wordpress.org/trunk@35725 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-12-03 20:17:25 +00:00
Gary Pendergast 603d3c0013 Embeds: Remove `&` characters from the inline embed JS.
Older versions of WordPress will convert those `&` characters to `&`, which makes for some non-functional JS. If folks are running an older release, let's not make their lives more difficult than it already is.

Props pento, peterwilsoncc.

See #34698.


Built from https://develop.svn.wordpress.org/trunk@35708


git-svn-id: http://core.svn.wordpress.org/trunk@35672 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-19 23:06:26 +00:00
Gary Pendergast a2349a2377 Embeds: Fix support for embedding in non-WordPress sites.
This moves the last of the iframe message code from PHP to JavaScript, so it can be included in any site, without needing to rely on any of WordPress' internal behaviour.

Props swissspidy.

Fixes #34451.


Built from https://develop.svn.wordpress.org/trunk@35577


git-svn-id: http://core.svn.wordpress.org/trunk@35541 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-09 00:08:27 +00:00
Scott Taylor 382d455235 WP oEmbed: Improve height attribute sanitization
Props afercia, swissspidy.
Fixes #34527.

Built from https://develop.svn.wordpress.org/trunk@35478


git-svn-id: http://core.svn.wordpress.org/trunk@35442 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-31 20:39:25 +00:00
Gary Pendergast 21393df10e Embeds: Add fallbacks for IE7-9.
Older IE versions need just that little bit of extra tender care to keep them going.

Props peterwilsoncc, swissspidy, pento.

Fixes #34204.


Built from https://develop.svn.wordpress.org/trunk@35466


git-svn-id: http://core.svn.wordpress.org/trunk@35430 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-31 04:38:25 +00:00
Gary Pendergast 368e5f9fc3 Embeds: Provide a cached text fallback.
Sometimes, embedded sites might suffer from less than 100% uptime. Instead of leaving the embedding site with a big blank space where the embed should be, let's fall back to a link to the embedded post, so there's at least some context for the post.

Fixes #34462.


Built from https://develop.svn.wordpress.org/trunk@35437


git-svn-id: http://core.svn.wordpress.org/trunk@35401 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-29 23:11:24 +00:00
Sergey Biryukov a908d2d4b1 Embeds: Rename files, functions, and hooks added in [34903] to make it more clear what is oEmbed-specific and what isn't.
See https://core.trac.wordpress.org/ticket/34272#comment:7 for full list of renamed functions and hooks.

Props swissspidy.
Fixes #34272.
Built from https://develop.svn.wordpress.org/trunk@35235


git-svn-id: http://core.svn.wordpress.org/trunk@35201 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-17 01:21:25 +00:00