mirror of
https://github.com/WordPress/WordPress.git
synced 2024-12-25 02:27:50 +01:00
d81f522a57
Validate that links within auto-discovered embeds are using the `http` or `https` protocols before following links. Props xknown, dd32, peterwilsoncc. Built from https://develop.svn.wordpress.org/trunk@55763 git-svn-id: http://core.svn.wordpress.org/trunk@55275 1a063a9b-81f0-0310-95a4-ce76da25c4cd
152 lines
3.8 KiB
JavaScript
152 lines
3.8 KiB
JavaScript
/**
|
|
* WordPress inline HTML embed
|
|
*
|
|
* @since 4.4.0
|
|
* @output wp-includes/js/wp-embed.js
|
|
*
|
|
* This file cannot have ampersands in it. This is to ensure
|
|
* it can be embedded in older versions of WordPress.
|
|
* See https://core.trac.wordpress.org/changeset/35708.
|
|
*/
|
|
(function ( window, document ) {
|
|
'use strict';
|
|
|
|
var supportedBrowser = false,
|
|
loaded = false;
|
|
|
|
if ( document.querySelector ) {
|
|
if ( window.addEventListener ) {
|
|
supportedBrowser = true;
|
|
}
|
|
}
|
|
|
|
/** @namespace wp */
|
|
window.wp = window.wp || {};
|
|
|
|
if ( !! window.wp.receiveEmbedMessage ) {
|
|
return;
|
|
}
|
|
|
|
/**
|
|
* Receive embed message.
|
|
*
|
|
* @param {MessageEvent} e
|
|
*/
|
|
window.wp.receiveEmbedMessage = function( e ) {
|
|
var data = e.data;
|
|
|
|
if ( ! data ) {
|
|
return;
|
|
}
|
|
|
|
if ( ! ( data.secret || data.message || data.value ) ) {
|
|
return;
|
|
}
|
|
|
|
if ( /[^a-zA-Z0-9]/.test( data.secret ) ) {
|
|
return;
|
|
}
|
|
|
|
var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
|
|
blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
|
|
allowedProtocols = new RegExp( '^https?:$', 'i' ),
|
|
i, source, height, sourceURL, targetURL;
|
|
|
|
for ( i = 0; i < blockquotes.length; i++ ) {
|
|
blockquotes[ i ].style.display = 'none';
|
|
}
|
|
|
|
for ( i = 0; i < iframes.length; i++ ) {
|
|
source = iframes[ i ];
|
|
|
|
if ( e.source !== source.contentWindow ) {
|
|
continue;
|
|
}
|
|
|
|
source.removeAttribute( 'style' );
|
|
|
|
/* Resize the iframe on request. */
|
|
if ( 'height' === data.message ) {
|
|
height = parseInt( data.value, 10 );
|
|
if ( height > 1000 ) {
|
|
height = 1000;
|
|
} else if ( ~~height < 200 ) {
|
|
height = 200;
|
|
}
|
|
|
|
source.height = height;
|
|
}
|
|
|
|
/* Link to a specific URL on request. */
|
|
if ( 'link' === data.message ) {
|
|
sourceURL = document.createElement( 'a' );
|
|
targetURL = document.createElement( 'a' );
|
|
|
|
sourceURL.href = source.getAttribute( 'src' );
|
|
targetURL.href = data.value;
|
|
|
|
/* Only follow link if the protocol is in the allow list. */
|
|
if ( ! allowedProtocols.test( targetURL.protocol ) ) {
|
|
continue;
|
|
}
|
|
|
|
/* Only continue if link hostname matches iframe's hostname. */
|
|
if ( targetURL.host === sourceURL.host ) {
|
|
if ( document.activeElement === source ) {
|
|
window.top.location.href = data.value;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
};
|
|
|
|
function onLoad() {
|
|
if ( loaded ) {
|
|
return;
|
|
}
|
|
|
|
loaded = true;
|
|
|
|
var isIE10 = -1 !== navigator.appVersion.indexOf( 'MSIE 10' ),
|
|
isIE11 = !!navigator.userAgent.match( /Trident.*rv:11\./ ),
|
|
iframes = document.querySelectorAll( 'iframe.wp-embedded-content' ),
|
|
iframeClone, i, source, secret;
|
|
|
|
for ( i = 0; i < iframes.length; i++ ) {
|
|
/** @var {IframeElement} */
|
|
source = iframes[ i ];
|
|
|
|
secret = source.getAttribute( 'data-secret' );
|
|
if ( ! secret ) {
|
|
/* Add secret to iframe */
|
|
secret = Math.random().toString( 36 ).substr( 2, 10 );
|
|
source.src += '#?secret=' + secret;
|
|
source.setAttribute( 'data-secret', secret );
|
|
}
|
|
|
|
/* Remove security attribute from iframes in IE10 and IE11. */
|
|
if ( ( isIE10 || isIE11 ) ) {
|
|
iframeClone = source.cloneNode( true );
|
|
iframeClone.removeAttribute( 'security' );
|
|
source.parentNode.replaceChild( iframeClone, source );
|
|
}
|
|
|
|
/*
|
|
* Let post embed window know that the parent is ready for receiving the height message, in case the iframe
|
|
* loaded before wp-embed.js was loaded. When the ready message is received by the post embed window, the
|
|
* window will then (re-)send the height message right away.
|
|
*/
|
|
source.contentWindow.postMessage( {
|
|
message: 'ready',
|
|
secret: secret
|
|
}, '*' );
|
|
}
|
|
}
|
|
|
|
if ( supportedBrowser ) {
|
|
window.addEventListener( 'message', window.wp.receiveEmbedMessage, false );
|
|
document.addEventListener( 'DOMContentLoaded', onLoad, false );
|
|
window.addEventListener( 'load', onLoad, false );
|
|
}
|
|
})( window, document );
|