WordPress/wp-includes/js/wp-embed.js
Sergey Biryukov 2bc3c9a6d9 Grouped backports to the 4.7 branch.
- Media: Prevent CSRF setting attachment thumbnails.
- Embeds: Add protocol validation for WordPress Embed code.

Merges [55763] and [55764] to the 4.7 branch.
Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad.
Built from https://develop.svn.wordpress.org/branches/4.7@55784


git-svn-id: http://core.svn.wordpress.org/branches/4.7@55296 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2023-05-16 15:47:23 +00:00

128 lines
3.2 KiB
JavaScript

/**
* WordPress inline HTML embed
*
* @since 4.4.0
*
* This file cannot have ampersands in it. This is to ensure
* it can be embedded in older versions of WordPress.
* See https://core.trac.wordpress.org/changeset/35708.
*/
(function ( window, document ) {
'use strict';
var supportedBrowser = false,
loaded = false;
if ( document.querySelector ) {
if ( window.addEventListener ) {
supportedBrowser = true;
}
}
window.wp = window.wp || {};
if ( !! window.wp.receiveEmbedMessage ) {
return;
}
window.wp.receiveEmbedMessage = function( e ) {
var data = e.data;
if ( ! ( data.secret || data.message || data.value ) ) {
return;
}
if ( /[^a-zA-Z0-9]/.test( data.secret ) ) {
return;
}
var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
allowedProtocols = new RegExp( '^https?:$', 'i' ),
i, source, height, sourceURL, targetURL;
for ( i = 0; i < blockquotes.length; i++ ) {
blockquotes[ i ].style.display = 'none';
}
for ( i = 0; i < iframes.length; i++ ) {
source = iframes[ i ];
if ( e.source !== source.contentWindow ) {
continue;
}
source.removeAttribute( 'style' );
/* Resize the iframe on request. */
if ( 'height' === data.message ) {
height = parseInt( data.value, 10 );
if ( height > 1000 ) {
height = 1000;
} else if ( ~~height < 200 ) {
height = 200;
}
source.height = height;
}
/* Link to a specific URL on request. */
if ( 'link' === data.message ) {
sourceURL = document.createElement( 'a' );
targetURL = document.createElement( 'a' );
sourceURL.href = source.getAttribute( 'src' );
targetURL.href = data.value;
/* Only follow link if the protocol is in the allow list. */
if ( ! allowedProtocols.test( targetURL.protocol ) ) {
continue;
}
/* Only continue if link hostname matches iframe's hostname. */
if ( targetURL.host === sourceURL.host ) {
if ( document.activeElement === source ) {
window.top.location.href = data.value;
}
}
}
}
};
function onLoad() {
if ( loaded ) {
return;
}
loaded = true;
var isIE10 = -1 !== navigator.appVersion.indexOf( 'MSIE 10' ),
isIE11 = !!navigator.userAgent.match( /Trident.*rv:11\./ ),
iframes = document.querySelectorAll( 'iframe.wp-embedded-content' ),
iframeClone, i, source, secret;
for ( i = 0; i < iframes.length; i++ ) {
source = iframes[ i ];
if ( ! source.getAttribute( 'data-secret' ) ) {
/* Add secret to iframe */
secret = Math.random().toString( 36 ).substr( 2, 10 );
source.src += '#?secret=' + secret;
source.setAttribute( 'data-secret', secret );
}
/* Remove security attribute from iframes in IE10 and IE11. */
if ( ( isIE10 || isIE11 ) ) {
iframeClone = source.cloneNode( true );
iframeClone.removeAttribute( 'security' );
source.parentNode.replaceChild( iframeClone, source );
}
}
}
if ( supportedBrowser ) {
window.addEventListener( 'message', window.wp.receiveEmbedMessage, false );
document.addEventListener( 'DOMContentLoaded', onLoad, false );
window.addEventListener( 'load', onLoad, false );
}
})( window, document );