Make WordPress Core

Changeset 28919


Ignore:
Timestamp:
06/30/2014 05:48:16 AM (10 years ago)
Author:
azaozz
Message:

Secure embeds in the editor (first run):

  • When the user pastes an embeddable http URL, try to get the https embed.
  • If an embed provider doesn't support ssl embeds, show a placeholder/error message.
  • Revise the way we return error messages.

See #28195, #28507.

Location:
trunk/src
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/ajax-actions.php

    r28892 r28919  
    25482548    }
    25492549
    2550     if ( empty( $_POST['shortcode'] ) || ! current_user_can( 'read_post', $post->ID ) ) {
    2551         wp_send_json_error();
    2552     }
    2553 
     2550    if ( empty( $_POST['shortcode'] ) || ! current_user_can( 'edit_post', $post->ID ) ) {
     2551        wp_send_json_error();
     2552    }
     2553
     2554    $shortcode = $_POST['shortcode'];
     2555    $url = str_replace( '[embed]', '', str_replace( '[/embed]', '', $shortcode ) );
     2556    $parsed = false;
    25542557    setup_postdata( $post );
    25552558
    2556     // If the URL cannot be embedded, return an eror message with wp_send_json_error()
    2557     add_filter( 'embed_maybe_make_link', '_wpview_embed_error', 20, 2 );
    2558 
    2559     $parsed = $wp_embed->run_shortcode( $_POST['shortcode'] );
     2559    $wp_embed->return_false_on_fail = true;
     2560
     2561    if ( is_ssl() && preg_match( '%^\\[embed\\]http://%i', $shortcode ) ) {
     2562        // Admin is ssl and the user pasted non-ssl URL.
     2563        // Check if the provider supports ssl embeds and use that for the preview.
     2564        $ssl_shortcode = preg_replace( '%^\\[embed\\]http://%i', '[embed]https://', $shortcode );
     2565        $parsed = $wp_embed->run_shortcode( $ssl_shortcode );
     2566
     2567        if ( ! $parsed ) {
     2568            $no_ssl_support = true;
     2569        }
     2570    }
     2571
     2572    if ( ! $parsed ) {
     2573        $parsed = $wp_embed->run_shortcode( $shortcode );
     2574    }
     2575
     2576    if ( ! $parsed ) {
     2577        wp_send_json_error( array(
     2578            'type' => 'not-embeddable',
     2579            'message' => sprintf( __( '%s failed to embed.' ), '<code>' . esc_url( $url ) . '</code>' ),
     2580        ) );
     2581    }
     2582
     2583    // TODO: needed?
    25602584    $parsed = do_shortcode( $parsed );
    25612585
     2586    if ( ! empty( $no_ssl_support ) || ( is_ssl() && ( preg_match( '%<(iframe|script|embed) [^>]*src="http://%', $parsed ) ||
     2587        preg_match( '%<link [^>]*href="http://%', $parsed ) ) ) ) {
     2588        // Admin is ssl and the embed is not. Iframes, scripts, and other "active content" will be blocked.
     2589        wp_send_json_error( array(
     2590            'type' => 'not-ssl',
     2591            'message' => sprintf( __( 'Preview not available. %s cannot be embedded securely.' ), '<code>' . esc_url( $url ) . '</code>' ),
     2592        ) );
     2593    }
     2594
    25622595    wp_send_json_success( $parsed );
    25632596}
  • trunk/src/wp-admin/includes/misc.php

    r28754 r28919  
    825825// Run later as we have to set DOING_AUTOSAVE for back-compat
    826826add_filter( 'heartbeat_received', 'heartbeat_autosave', 500, 2 );
    827 
    828 /**
    829  * Send error message when an URL cannot be embedded. Used in wp_ajax_parse_embed().
    830  *
    831  * @access private
    832  * @since 4.0
    833  */
    834 function _wpview_embed_error( $output, $url ) {
    835     wp_send_json_error( array(
    836         'message' => sprintf( __( '%s failed to embed.' ), esc_url( $url ) ),
    837     ) );
    838 }
  • trunk/src/wp-includes/class-wp-embed.php

    r28559 r28919  
    1212    public $usecache = true;
    1313    public $linkifunknown = true;
     14
     15    /**
     16     * When an URL cannot be embedded, return false instead of returning a link
     17     * or the URL. Bypasses the 'embed_maybe_make_link' filter.
     18     */         
     19    public $return_false_on_fail = false;
    1420
    1521    /**
     
    323329     */
    324330    public function maybe_make_link( $url ) {
     331        if ( $this->return_false_on_fail ) {
     332            return false;
     333        }
     334
    325335        $output = ( $this->linkifunknown ) ? '<a href="' . esc_url($url) . '">' . esc_html($url) . '</a>' : $url;
    326336
  • trunk/src/wp-includes/js/mce-view.js

    r28784 r28919  
    738738            .fail( function( response ) {
    739739                if ( response && response.message ) {
    740                     if ( self.type === 'embed' ) {
     740                    if ( ( response.type === 'not-embeddable' && self.type === 'embed' ) ||
     741                        response.type === 'not-ssl' ) {
     742
    741743                        self.setError( response.message, 'admin-media' );
    742744                    } else {
Note: See TracChangeset for help on using the changeset viewer.