mirror of
https://github.com/WordPress/WordPress.git
synced 2024-12-23 01:27:36 +01:00
Secure embeds in the editor (first run):
- When the user pastes an embeddable http URL, try to get the https embed. - If an embed provider doesn't support ssl embeds, show a placeholder/error message. - Revise the way we return error messages. See #28195, #28507. Built from https://develop.svn.wordpress.org/trunk@28919 git-svn-id: http://core.svn.wordpress.org/trunk@28718 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
c97a364b79
commit
5168f9c7c6
@ -2547,17 +2547,50 @@ function wp_ajax_parse_embed() {
|
||||
wp_send_json_error();
|
||||
}
|
||||
|
||||
if ( empty( $_POST['shortcode'] ) || ! current_user_can( 'read_post', $post->ID ) ) {
|
||||
if ( empty( $_POST['shortcode'] ) || ! current_user_can( 'edit_post', $post->ID ) ) {
|
||||
wp_send_json_error();
|
||||
}
|
||||
|
||||
$shortcode = $_POST['shortcode'];
|
||||
$url = str_replace( '[embed]', '', str_replace( '[/embed]', '', $shortcode ) );
|
||||
$parsed = false;
|
||||
setup_postdata( $post );
|
||||
|
||||
// If the URL cannot be embedded, return an eror message with wp_send_json_error()
|
||||
add_filter( 'embed_maybe_make_link', '_wpview_embed_error', 20, 2 );
|
||||
$wp_embed->return_false_on_fail = true;
|
||||
|
||||
$parsed = $wp_embed->run_shortcode( $_POST['shortcode'] );
|
||||
if ( is_ssl() && preg_match( '%^\\[embed\\]http://%i', $shortcode ) ) {
|
||||
// Admin is ssl and the user pasted non-ssl URL.
|
||||
// Check if the provider supports ssl embeds and use that for the preview.
|
||||
$ssl_shortcode = preg_replace( '%^\\[embed\\]http://%i', '[embed]https://', $shortcode );
|
||||
$parsed = $wp_embed->run_shortcode( $ssl_shortcode );
|
||||
|
||||
if ( ! $parsed ) {
|
||||
$no_ssl_support = true;
|
||||
}
|
||||
}
|
||||
|
||||
if ( ! $parsed ) {
|
||||
$parsed = $wp_embed->run_shortcode( $shortcode );
|
||||
}
|
||||
|
||||
if ( ! $parsed ) {
|
||||
wp_send_json_error( array(
|
||||
'type' => 'not-embeddable',
|
||||
'message' => sprintf( __( '%s failed to embed.' ), '<code>' . esc_url( $url ) . '</code>' ),
|
||||
) );
|
||||
}
|
||||
|
||||
// TODO: needed?
|
||||
$parsed = do_shortcode( $parsed );
|
||||
|
||||
if ( ! empty( $no_ssl_support ) || ( is_ssl() && ( preg_match( '%<(iframe|script|embed) [^>]*src="http://%', $parsed ) ||
|
||||
preg_match( '%<link [^>]*href="http://%', $parsed ) ) ) ) {
|
||||
// Admin is ssl and the embed is not. Iframes, scripts, and other "active content" will be blocked.
|
||||
wp_send_json_error( array(
|
||||
'type' => 'not-ssl',
|
||||
'message' => sprintf( __( 'Preview not available. %s cannot be embedded securely.' ), '<code>' . esc_url( $url ) . '</code>' ),
|
||||
) );
|
||||
}
|
||||
|
||||
wp_send_json_success( $parsed );
|
||||
}
|
||||
|
@ -824,15 +824,3 @@ function heartbeat_autosave( $response, $data ) {
|
||||
}
|
||||
// Run later as we have to set DOING_AUTOSAVE for back-compat
|
||||
add_filter( 'heartbeat_received', 'heartbeat_autosave', 500, 2 );
|
||||
|
||||
/**
|
||||
* Send error message when an URL cannot be embedded. Used in wp_ajax_parse_embed().
|
||||
*
|
||||
* @access private
|
||||
* @since 4.0
|
||||
*/
|
||||
function _wpview_embed_error( $output, $url ) {
|
||||
wp_send_json_error( array(
|
||||
'message' => sprintf( __( '%s failed to embed.' ), esc_url( $url ) ),
|
||||
) );
|
||||
}
|
||||
|
@ -12,6 +12,12 @@ class WP_Embed {
|
||||
public $usecache = true;
|
||||
public $linkifunknown = true;
|
||||
|
||||
/**
|
||||
* When an URL cannot be embedded, return false instead of returning a link
|
||||
* or the URL. Bypasses the 'embed_maybe_make_link' filter.
|
||||
*/
|
||||
public $return_false_on_fail = false;
|
||||
|
||||
/**
|
||||
* Constructor
|
||||
*/
|
||||
@ -322,6 +328,10 @@ class WP_Embed {
|
||||
* @return string Linked URL or the original URL.
|
||||
*/
|
||||
public function maybe_make_link( $url ) {
|
||||
if ( $this->return_false_on_fail ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$output = ( $this->linkifunknown ) ? '<a href="' . esc_url($url) . '">' . esc_html($url) . '</a>' : $url;
|
||||
|
||||
/**
|
||||
|
@ -737,7 +737,9 @@ window.wp = window.wp || {};
|
||||
} )
|
||||
.fail( function( response ) {
|
||||
if ( response && response.message ) {
|
||||
if ( self.type === 'embed' ) {
|
||||
if ( ( response.type === 'not-embeddable' && self.type === 'embed' ) ||
|
||||
response.type === 'not-ssl' ) {
|
||||
|
||||
self.setError( response.message, 'admin-media' );
|
||||
} else {
|
||||
self.setContent( '<p>' + self.original + '</p>', null, true );
|
||||
|
2
wp-includes/js/mce-view.min.js
vendored
2
wp-includes/js/mce-view.min.js
vendored
File diff suppressed because one or more lines are too long
Loading…
Reference in New Issue
Block a user