Ticket #43136: 43136.diff

src/wp-includes/class-wp-oembed-controller.php

@@ -127 +127 @@
                         return new WP_Error( 'oembed_invalid_url', get_status_header_desc( 404 ), array( 'status' => 404 ) );
                 }
 
+                // Make sure the REST Request applies the WP Embed security mechanism for WordPress Posts.
+                $data['html'] = wp_filter_oembed_result( $data['html'], (object) $data, $request['url'] );
+
                 return $data;
         }
 

tests/phpunit/tests/oembed/controller.php

@@ -582 +582 @@
                 $data = $response->get_data();
                 $this->assertEquals( $data['code'], 'rest_invalid_param' );
         }
+
+        /**
+         * @ticket 43136
+         */
+        public function test_rest_get_post_oembed_result() {
+                wp_set_current_user( self::$editor );
+
+                $post = $this->factory()->post->create_and_get(
+                        array(
+                                'post_title'  => 'Foo Bar',
+                        )
+                );
+
+                $request = new WP_REST_Request( 'GET', '/oembed/1.0/embed' );
+                $request->set_param( 'url', get_permalink( $post->ID ) );
+
+                $response = $this->server->dispatch( $request );
+                $data = $response->get_data();
+
+                $this->assertTrue( 0 === strpos( $data['html'], '<blockquote class="wp-embedded-content" data-secret' ) );
+        }
 }