WordPress.org

Make WordPress Core

Ticket #34451: 34451.diff

File 34451.diff, 3.9 KB (added by swissspidy, 5 years ago)
  • src/wp-includes/embed-functions.php

    diff --git src/wp-includes/embed-functions.php src/wp-includes/embed-functions.php
    index 7e90221..2b827e5 100644
    function wp_filter_oembed_result( $result, $data, $url ) { 
    728728                return false;
    729729        }
    730730
    731         $html = str_replace( '<iframe', '<iframe sandbox="allow-scripts" security="restricted"', $iframes[1] );
    732 
    733         preg_match( '/ src=[\'"]([^\'"]*)[\'"]/', $html, $results );
    734 
    735         if ( ! empty( $results ) ) {
    736                 $secret = wp_generate_password( 10, false );
    737 
    738                 $url = esc_url( "{$results[1]}#?secret=$secret" );
    739 
    740                 $html = str_replace( $results[0], " src=\"$url\" data-secret=\"$secret\"", $html );
    741         }
    742 
    743         return $html;
     731        return str_replace( '<iframe', '<iframe sandbox="allow-scripts" security="restricted"', $iframes[1] );
    744732}
    745733
    746734/**
  • src/wp-includes/js/wp-embed.js

    diff --git src/wp-includes/js/wp-embed.js src/wp-includes/js/wp-embed.js
    index dd03bc0..2dbef36 100644
     
    4848
    4949        function onLoad() {
    5050                var isIE10 = -1 !== navigator.appVersion.indexOf( 'MSIE 10' ),
    51                         isIE11 = !!navigator.userAgent.match( /Trident.*rv\:11\./ );
     51                        isIE11 = !!navigator.userAgent.match( /Trident.*rv:11\./ ),
     52                        iframeClone, secret;
    5253
    53                 /* Remove security attribute from iframes in IE10 and IE11. */
    54                 if ( isIE10 || isIE11 ) {
    55                         var iframes = document.querySelectorAll( '.wp-embedded-content[security]' ), iframeClone;
     54                var iframes = document.querySelectorAll( '.wp-embedded-content' );
     55                for ( var i = 0; i < iframes.length; i++ ) {
     56                        /* Add secret to iframe */
     57                        secret = Math.random().toString( 36 ).substr( 2, 10 );
     58                        iframes[ i ].src += '#?secret=' + secret;
     59                        iframes[ i ].setAttribute( 'data-secret', secret );
    5660
    57                         for ( var i = 0; i < iframes.length; i++ ) {
     61                        /* Remove security attribute from iframes in IE10 and IE11. */
     62                        if ( !!iframes[ i ].getAttribute( 'security' ) && (isIE10 || isIE11) ) {
    5863                                iframeClone = iframes[ i ].cloneNode( true );
    5964                                iframeClone.removeAttribute( 'security' );
    60                                 iframes[ i ].parentNode.insertBefore( iframeClone, iframes[ i ].nextSibling );
    61                                 iframes[ i ].parentNode.removeChild( iframes[ i ] );
     65                                iframes[ i ].parentNode.replaceChild( iframeClone, iframes[ i ] );
    6266                        }
    6367                }
    6468        }
  • tests/phpunit/tests/oembed/filterResult.php

    diff --git tests/phpunit/tests/oembed/filterResult.php tests/phpunit/tests/oembed/filterResult.php
    index cfe5c98..fceba65 100644
    class Tests_Filter_oEmbed_Result extends WP_UnitTestCase { 
    1616                $html   = '<p></p><iframe onload="alert(1)" src="http://example.com/sample-page/"></iframe>';
    1717                $actual = wp_filter_oembed_result( $html, (object) array( 'type' => 'rich' ), 'http://example.com/sample-page/' );
    1818
    19                 $matches = array();
    20                 preg_match( '|src=".*#\?secret=([\w\d]+)" data-secret="([\w\d]+)"|', $actual, $matches );
    21 
    22                 $this->assertTrue( isset( $matches[1] ) );
    23                 $this->assertTrue( isset( $matches[2] ) );
    24                 $this->assertEquals( $matches[1], $matches[2] );
     19                $this->assertEquals( '<iframe sandbox="allow-scripts" security="restricted" src="http://example.com/sample-page/"></iframe>', $actual );
    2520        }
    2621
    2722        function test_filter_oembed_result_only_one_iframe_is_allowed() {
    EOD; 
    5651                $this->assertFalse( $actual );
    5752        }
    5853
    59         function test_filter_oembed_result_secret_param_available() {
    60                 $html   = '<iframe src="https://wordpress.org"></iframe>';
    61                 $actual = wp_filter_oembed_result( $html, (object) array( 'type' => 'rich' ), '' );
    62 
    63                 $matches = array();
    64                 preg_match( '|src="https://wordpress.org#\?secret=([\w\d]+)" data-secret="([\w\d]+)"|', $actual, $matches );
    65 
    66                 $this->assertTrue( isset( $matches[1] ) );
    67                 $this->assertTrue( isset( $matches[2] ) );
    68                 $this->assertEquals( $matches[1], $matches[2] );
    69         }
    70 
    7154        function test_filter_oembed_result_wrong_type_provided() {
    7255                $actual = wp_filter_oembed_result( 'some string', (object) array( 'type' => 'link' ), '' );
    7356