Ticket #34451: 34451.2.diff

src/wp-includes/embed-functions.php

@@ -461 +461 @@
 
         $embed_url = get_post_embed_url( $post );
 
-        $output = '<blockquote><a href="' . get_permalink( $post ) . '">' . get_the_title( $post ) . "</a></blockquote>\n";
+        $output = '<blockquote class="wp-embedded-content"><a href="' . get_permalink( $post ) . '">' . get_the_title( $post ) . "</a></blockquote>\n";
 
         $output .= "<script type='text/javascript'>\n";
         $output .= "<!--//--><![CDATA[//><!--\n";
@@ -757 +757 @@
                 'a'          => array(
                                 'href' => true,
                 ),
-                'blockquote' => array(),
+                'blockquote' => array(
+                        'class'        => true,
+                ),
                 'iframe'     => array(
                         'src'          => true,
                         'width'        => true,
@@ -773 +775 @@
 
         $html = wp_kses( $result, $allowed_html );
 
-        preg_match( '|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content );
+        preg_match( '|(<blockquote.*?>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content );
         // We require at least the iframe to exist.
         if ( empty( $content[2] ) ) {
                 return false;
@@ -785 +787 @@
                 $html = str_replace( '<iframe', '<iframe style="display:none;"', $html );
         }
 
-        $html = str_replace( '<iframe', '<iframe sandbox="allow-scripts" security="restricted"', $html );
-
-        preg_match( '/ src=[\'"]([^\'"]*)[\'"]/', $html, $results );
-
-        if ( ! empty( $results ) ) {
-                $secret = wp_generate_password( 10, false );
-
-                $url = esc_url( "{$results[1]}#?secret=$secret" );
-
-                $html = str_replace( $results[0], " src=\"$url\" data-secret=\"$secret\"", $html );
-                $html = str_replace( '<blockquote', "<blockquote data-secret=\"$secret\"", $html );
-        }
-
-        return $html;
+        return str_replace( '<iframe', '<iframe sandbox="allow-scripts" security="restricted"', $html );
 }
 
 /**

src/wp-includes/js/wp-embed-template.js

@@ -1 +1 @@
 (function ( window, document ) {
         'use strict';
 
-        var secret = window.location.hash.replace( /.*secret=([\d\w]{10}).*/, '$1' ),
-                resizing;
+        var secret, secretTimeout, resizing;
 
         function sendEmbedMessage( message, value ) {
                 window.parent.postMessage( {
@@ -159 +158 @@
         }
 
         window.addEventListener( 'resize', onResize, false );
+
+        /**
+         * Re-get the secret when it was added later on.
+         */
+        function getSecret() {
+                if ( window.self === window.top || !!secret ) {
+                        return;
+                }
+
+                secret = window.location.hash.replace( /.*secret=([\d\w]{10}).*/, '$1' );
+
+                clearTimeout( secretTimeout );
+
+                secretTimeout = setTimeout( function () {
+                        getSecret();
+                }, 100 );
+        }
+
+        getSecret();
 })( window, document );

src/wp-includes/js/wp-embed.js

@@ -13 +13 @@
                         return;
                 }
 
-                var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
-                        blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
+                var iframes = document.querySelectorAll( '.wp-embedded-content[data-secret="' + data.secret + '"]' ),
                         i, source, height, sourceURL, targetURL;
 
-                for ( i = 0; i < blockquotes.length; i++ ) {
-                        blockquotes[ i ].style.display = 'none';
-                }
-
                 for ( i = 0; i < iframes.length; i++ ) {
                         source = iframes[ i ];
 
-                        source.style.display = '';
-
                         /* Resize the iframe on request. */
                         if ( 'height' === data.message ) {
                                 height = data.value;
@@ -58 +51 @@
 
         function onLoad() {
                 var isIE10 = -1 !== navigator.appVersion.indexOf( 'MSIE 10' ),
-                        isIE11 = !!navigator.userAgent.match( /Trident.*rv\:11\./ ),
-                        iframes, iframeClone, i;
+                        isIE11 = !!navigator.userAgent.match( /Trident.*rv:11\./ ),
+                        iframes = document.querySelectorAll( 'iframe.wp-embedded-content' ),
+                        blockquotes = document.querySelectorAll( 'blockquote.wp-embedded-content' ),
+                        iframeClone, i, source, secret;
+
+                for ( i = 0; i < blockquotes.length; i++ ) {
+                        blockquotes[ i ].style.display = 'none';
+                }
+
+                for ( i = 0; i < iframes.length; i++ ) {
+                        source = iframes[ i ];
+                        source.style.display = '';
+
+                        if ( !!source.getAttribute( 'data-secret' ) ) {
+                                continue;
+                        }
 
-                /* Remove security attribute from iframes in IE10 and IE11. */
-                if ( isIE10 || isIE11 ) {
-                        iframes = document.querySelectorAll( '.wp-embedded-content[security]' );
+                        /* Add secret to iframe */
+                        secret = Math.random().toString( 36 ).substr( 2, 10 );
+                        source.src += '#?secret=' + secret;
+                        source.setAttribute( 'data-secret', secret );
 
-                        for ( i = 0; i < iframes.length; i++ ) {
-                                iframeClone = iframes[ i ].cloneNode( true );
+                        /* Remove security attribute from iframes in IE10 and IE11. */
+                        if ( ( isIE10 || isIE11 ) && !!source.getAttribute( 'security' ) ) {
+                                iframeClone = source.cloneNode( true );
                                 iframeClone.removeAttribute( 'security' );
-                                iframes[ i ].parentNode.insertBefore( iframeClone, iframes[ i ].nextSibling );
-                                iframes[ i ].parentNode.removeChild( iframes[ i ] );
+                                source.parentNode.replaceChild( iframeClone, source );
                         }
                 }
         }

tests/phpunit/tests/oembed/filterResult.php

@@ -16 +16 @@
                 $html   = '<p></p><iframe onload="alert(1)" src="http://example.com/sample-page/"></iframe>';
                 $actual = wp_filter_oembed_result( $html, (object) array( 'type' => 'rich' ), 'http://example.com/sample-page/' );
 
-                $matches = array();
-                preg_match( '|src=".*#\?secret=([\w\d]+)" data-secret="([\w\d]+)"|', $actual, $matches );
-
-                $this->assertTrue( isset( $matches[1] ) );
-                $this->assertTrue( isset( $matches[2] ) );
-                $this->assertEquals( $matches[1], $matches[2] );
+                $this->assertEquals( '<iframe sandbox="allow-scripts" security="restricted" src="http://example.com/sample-page/"></iframe>', $actual );
         }
 
         function test_filter_oembed_result_only_one_iframe_is_allowed() {
@@ -56 +51 @@
                 $this->assertFalse( $actual );
         }
 
-        function test_filter_oembed_result_secret_param_available() {
-                $html   = '<iframe src="https://wordpress.org"></iframe>';
-                $actual = wp_filter_oembed_result( $html, (object) array( 'type' => 'rich' ), '' );
-
-                $matches = array();
-                preg_match( '|src="https://wordpress.org#\?secret=([\w\d]+)" data-secret="([\w\d]+)"|', $actual, $matches );
-
-                $this->assertTrue( isset( $matches[1] ) );
-                $this->assertTrue( isset( $matches[2] ) );
-                $this->assertEquals( $matches[1], $matches[2] );
-        }
-
         function test_filter_oembed_result_wrong_type_provided() {
                 $actual = wp_filter_oembed_result( 'some string', (object) array( 'type' => 'link' ), '' );
 
@@ -87 +70 @@
         }
 
         function test_filter_oembed_result_allowed_html() {
-                $html   = '<blockquote><strong><a href="" target=""></a></strong></blockquote><iframe></iframe>';
+                $html   = '<blockquote class="foo" id="bar"><strong><a href="" target=""></a></strong></blockquote><iframe></iframe>';
                 $actual = wp_filter_oembed_result( $html, (object) array( 'type' => 'rich' ), '' );
 
-                $this->assertEquals( '<blockquote><a href=""></a></blockquote><iframe sandbox="allow-scripts" security="restricted" style="display:none;"></iframe>', $actual );
+                $this->assertEquals( '<blockquote class="foo"><a href=""></a></blockquote><iframe sandbox="allow-scripts" security="restricted" style="display:none;"></iframe>', $actual );
         }
 }