Secure embeds in the editor (first run):

- When the user pastes an embeddable http URL, try to get the https embed.
- If an embed provider doesn't support ssl embeds, show a placeholder/error message.
- Revise the way we return error messages.
See #28195, #28507.
Built from https://develop.svn.wordpress.org/trunk@28919


git-svn-id: http://core.svn.wordpress.org/trunk@28718 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/includes/ajax-actions.php

@@ -2547,17 +2547,50 @@ function wp_ajax_parse_embed() {
 		wp_send_json_error();
 	}
 
-	if ( empty( $_POST['shortcode'] ) || ! current_user_can( 'read_post', $post->ID ) ) {
+	if ( empty( $_POST['shortcode'] ) || ! current_user_can( 'edit_post', $post->ID ) ) {
 		wp_send_json_error();
 	}
 
+	$shortcode = $_POST['shortcode'];
+	$url = str_replace( '[embed]', '', str_replace( '[/embed]', '', $shortcode ) );
+	$parsed = false;
 	setup_postdata( $post );
 
-	// If the URL cannot be embedded, return an eror message with wp_send_json_error()
-	add_filter( 'embed_maybe_make_link', '_wpview_embed_error', 20, 2 );
+	$wp_embed->return_false_on_fail = true;
 
-	$parsed = $wp_embed->run_shortcode( $_POST['shortcode'] );
+	if ( is_ssl() && preg_match( '%^\\[embed\\]http://%i', $shortcode ) ) {
+		// Admin is ssl and the user pasted non-ssl URL.
+		// Check if the provider supports ssl embeds and use that for the preview.
+		$ssl_shortcode = preg_replace( '%^\\[embed\\]http://%i', '[embed]https://', $shortcode );
+		$parsed = $wp_embed->run_shortcode( $ssl_shortcode );
+
+		if ( ! $parsed ) {
+			$no_ssl_support = true;
+		}
+	}
+
+	if ( ! $parsed ) {
+		$parsed = $wp_embed->run_shortcode( $shortcode );
+	}
+
+	if ( ! $parsed ) {
+		wp_send_json_error( array(
+			'type' => 'not-embeddable',
+			'message' => sprintf( __( '%s failed to embed.' ), '<code>' . esc_url( $url ) . '</code>' ),
+		) );
+	}
+
+	// TODO: needed?
 	$parsed = do_shortcode( $parsed );
 
+	if ( ! empty( $no_ssl_support ) || ( is_ssl() && ( preg_match( '%<(iframe|script|embed) [^>]*src="http://%', $parsed ) ||
+		preg_match( '%<link [^>]*href="http://%', $parsed ) ) ) ) {
+		// Admin is ssl and the embed is not. Iframes, scripts, and other "active content" will be blocked.
+		wp_send_json_error( array(
+			'type' => 'not-ssl',
+			'message' => sprintf( __( 'Preview not available. %s cannot be embedded securely.' ), '<code>' . esc_url( $url ) . '</code>' ),
+		) );
+	}
+
 	wp_send_json_success( $parsed );
 }

wp-admin/includes/misc.php

@@ -824,15 +824,3 @@ function heartbeat_autosave( $response, $data ) {
 }
 // Run later as we have to set DOING_AUTOSAVE for back-compat
 add_filter( 'heartbeat_received', 'heartbeat_autosave', 500, 2 );
-
-/**
- * Send error message when an URL cannot be embedded. Used in wp_ajax_parse_embed().
- *
- * @access private
- * @since 4.0
- */
-function _wpview_embed_error( $output, $url ) {
-	wp_send_json_error( array(
-		'message' => sprintf( __( '%s failed to embed.' ), esc_url( $url ) ),
-	) );
-}

wp-includes/class-wp-embed.php

@@ -12,6 +12,12 @@ class WP_Embed {
 	public $usecache = true;
 	public $linkifunknown = true;
 
+	/**
+	 * When an URL cannot be embedded, return false instead of returning a link
+	 * or the URL. Bypasses the 'embed_maybe_make_link' filter.
+	 */	 	 	
+	public $return_false_on_fail = false;
+
 	/**
 	 * Constructor
 	 */
@@ -322,6 +328,10 @@ class WP_Embed {
 	 * @return string Linked URL or the original URL.
 	 */
 	public function maybe_make_link( $url ) {
+		if ( $this->return_false_on_fail ) {
+			return false;
+		}
+
 		$output = ( $this->linkifunknown ) ? '<a href="' . esc_url($url) . '">' . esc_html($url) . '</a>' : $url;
 
 		/**

wp-includes/js/mce-view.js

@@ -737,7 +737,9 @@ window.wp = window.wp || {};
 			} )
 			.fail( function( response ) {
 				if ( response && response.message ) {
-					if ( self.type === 'embed' ) {
+					if ( ( response.type === 'not-embeddable' && self.type === 'embed' ) ||
+						response.type === 'not-ssl' ) {
+
 						self.setError( response.message, 'admin-media' );
 					} else {
 						self.setContent( '<p>' + self.original + '</p>', null, true );