Changeset 28919 for trunk/src/wp-admin/includes/ajax-actions.php

Timestamp:

06/30/2014 05:48:16 AM (12 years ago)

Author:

azaozz

Message:

Secure embeds in the editor (first run):

• When the user pastes an embeddable http URL, try to get the https embed.
• If an embed provider doesn't support ssl embeds, show a placeholder/error message.
• Revise the way we return error messages.

See #28195, #28507.

File:

• trunk/src/wp-admin/includes/ajax-actions.php (modified) (1 diff)

trunk/src/wp-admin/includes/ajax-actions.php

@@ -2548 +2548 @@
     }
 
-    if ( empty( $_POST['shortcode'] ) || ! current_user_can( 'read_post', $post->ID ) ) {
-        wp_send_json_error();
-    }
-
+    if ( empty( $_POST['shortcode'] ) || ! current_user_can( 'edit_post', $post->ID ) ) {
+        wp_send_json_error();
+    }
+
+    $shortcode = $_POST['shortcode'];
+    $url = str_replace( '[embed]', '', str_replace( '[/embed]', '', $shortcode ) );
+    $parsed = false;
     setup_postdata( $post );
 
-    // If the URL cannot be embedded, return an eror message with wp_send_json_error()
-    add_filter( 'embed_maybe_make_link', '_wpview_embed_error', 20, 2 );
-
-    $parsed = $wp_embed->run_shortcode( $_POST['shortcode'] );
+    $wp_embed->return_false_on_fail = true;
+
+    if ( is_ssl() && preg_match( '%^\\[embed\\]http://%i', $shortcode ) ) {
+        // Admin is ssl and the user pasted non-ssl URL.
+        // Check if the provider supports ssl embeds and use that for the preview.
+        $ssl_shortcode = preg_replace( '%^\\[embed\\]http://%i', '[embed]https://', $shortcode );
+        $parsed = $wp_embed->run_shortcode( $ssl_shortcode );
+
+        if ( ! $parsed ) {
+            $no_ssl_support = true;
+        }
+    }
+
+    if ( ! $parsed ) {
+        $parsed = $wp_embed->run_shortcode( $shortcode );
+    }
+
+    if ( ! $parsed ) {
+        wp_send_json_error( array(
+            'type' => 'not-embeddable',
+            'message' => sprintf( __( '%s failed to embed.' ), '<code>' . esc_url( $url ) . '</code>' ),
+        ) );
+    }
+
+    // TODO: needed?
     $parsed = do_shortcode( $parsed );
 
+    if ( ! empty( $no_ssl_support ) || ( is_ssl() && ( preg_match( '%<(iframe|script|embed) [^>]*src="http://%', $parsed ) ||
+        preg_match( '%<link [^>]*href="http://%', $parsed ) ) ) ) {
+        // Admin is ssl and the embed is not. Iframes, scripts, and other "active content" will be blocked.
+        wp_send_json_error( array(
+            'type' => 'not-ssl',
+            'message' => sprintf( __( 'Preview not available. %s cannot be embedded securely.' ), '<code>' . esc_url( $url ) . '</code>' ),
+        ) );
+    }
+
     wp_send_json_success( $parsed );
 }