Secure embeds in the editor (first run):

- When the user pastes an embeddable http URL, try to get the https embed.
- If an embed provider doesn't support ssl embeds, show a placeholder/error message.
- Revise the way we return error messages.
See #28195, #28507.

git-svn-id: https://develop.svn.wordpress.org/trunk@28919 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Andrew Ozz 2014-06-30 05:48:16 +00:00
parent 99faddd819
commit df6eb733eb
4 changed files with 50 additions and 17 deletions

View File

@ -2547,17 +2547,50 @@ function wp_ajax_parse_embed() {
wp_send_json_error();
}
if ( empty( $_POST['shortcode'] ) || ! current_user_can( 'read_post', $post->ID ) ) {
if ( empty( $_POST['shortcode'] ) || ! current_user_can( 'edit_post', $post->ID ) ) {
wp_send_json_error();
}
$shortcode = $_POST['shortcode'];
$url = str_replace( '[embed]', '', str_replace( '[/embed]', '', $shortcode ) );
$parsed = false;
setup_postdata( $post );
// If the URL cannot be embedded, return an eror message with wp_send_json_error()
add_filter( 'embed_maybe_make_link', '_wpview_embed_error', 20, 2 );
$wp_embed->return_false_on_fail = true;
$parsed = $wp_embed->run_shortcode( $_POST['shortcode'] );
if ( is_ssl() && preg_match( '%^\\[embed\\]http://%i', $shortcode ) ) {
// Admin is ssl and the user pasted non-ssl URL.
// Check if the provider supports ssl embeds and use that for the preview.
$ssl_shortcode = preg_replace( '%^\\[embed\\]http://%i', '[embed]https://', $shortcode );
$parsed = $wp_embed->run_shortcode( $ssl_shortcode );
if ( ! $parsed ) {
$no_ssl_support = true;
}
}
if ( ! $parsed ) {
$parsed = $wp_embed->run_shortcode( $shortcode );
}
if ( ! $parsed ) {
wp_send_json_error( array(
'type' => 'not-embeddable',
'message' => sprintf( __( '%s failed to embed.' ), '<code>' . esc_url( $url ) . '</code>' ),
) );
}
// TODO: needed?
$parsed = do_shortcode( $parsed );
if ( ! empty( $no_ssl_support ) || ( is_ssl() && ( preg_match( '%<(iframe|script|embed) [^>]*src="http://%', $parsed ) ||
preg_match( '%<link [^>]*href="http://%', $parsed ) ) ) ) {
// Admin is ssl and the embed is not. Iframes, scripts, and other "active content" will be blocked.
wp_send_json_error( array(
'type' => 'not-ssl',
'message' => sprintf( __( 'Preview not available. %s cannot be embedded securely.' ), '<code>' . esc_url( $url ) . '</code>' ),
) );
}
wp_send_json_success( $parsed );
}

View File

@ -824,15 +824,3 @@ function heartbeat_autosave( $response, $data ) {
}
// Run later as we have to set DOING_AUTOSAVE for back-compat
add_filter( 'heartbeat_received', 'heartbeat_autosave', 500, 2 );
/**
* Send error message when an URL cannot be embedded. Used in wp_ajax_parse_embed().
*
* @access private
* @since 4.0
*/
function _wpview_embed_error( $output, $url ) {
wp_send_json_error( array(
'message' => sprintf( __( '%s failed to embed.' ), esc_url( $url ) ),
) );
}

View File

@ -12,6 +12,12 @@ class WP_Embed {
public $usecache = true;
public $linkifunknown = true;
/**
* When an URL cannot be embedded, return false instead of returning a link
* or the URL. Bypasses the 'embed_maybe_make_link' filter.
*/
public $return_false_on_fail = false;
/**
* Constructor
*/
@ -322,6 +328,10 @@ class WP_Embed {
* @return string Linked URL or the original URL.
*/
public function maybe_make_link( $url ) {
if ( $this->return_false_on_fail ) {
return false;
}
$output = ( $this->linkifunknown ) ? '<a href="' . esc_url($url) . '">' . esc_html($url) . '</a>' : $url;
/**

View File

@ -737,7 +737,9 @@ window.wp = window.wp || {};
} )
.fail( function( response ) {
if ( response && response.message ) {
if ( self.type === 'embed' ) {
if ( ( response.type === 'not-embeddable' && self.type === 'embed' ) ||
response.type === 'not-ssl' ) {
self.setError( response.message, 'admin-media' );
} else {
self.setContent( '<p>' + self.original + '</p>', null, true );