Make WordPress Core


Ignore:
Timestamp:
10/07/2015 10:35:18 AM (9 years ago)
Author:
pento
Message:

Embeds: Add oEmbed provider support.

For the past 6 years, WordPress has operated as an oEmbed consumer, allowing users to easily embed content from other sites. By adding oEmbed provider support, this allows any oEmbed consumer to embed posts from WordPress sites.

In addition to creating an oEmbed provider, WordPress' oEmbed consumer code has been enhanced to work with any site that provides oEmbed data (as long as it matches some strict security rules), and provides a preview from within the post editor.

For security, embeds appear within a sandboxed iframe - the iframe content is a template that can be styled or replaced entirely by the theme on the provider site.

Props swissspidy, pento, melchoyce, netweb, pfefferle, johnbillion, extendwings, davidbinda, danielbachhuber, SergeyBiryukov, afercia

Fixes #32522.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/embed-functions.php

    r34851 r34903  
    327327    return apply_filters( 'wp_embed_handler_video', $video, $attr, $url, $rawattr );
    328328}
     329
     330/**
     331 * Parse an oEmbed API query.
     332 *
     333 * @since 4.4.0
     334 */
     335function wp_oembed_parse_query( $wp_query ) {
     336    $controller = new WP_oEmbed_Controller;
     337    $controller->parse_query( $wp_query );
     338}
     339
     340/**
     341 * Adds oEmbed discovery links in the website <head>.
     342 *
     343 * @since 4.4.0
     344 */
     345function wp_oembed_add_discovery_links() {
     346    $output = '';
     347
     348    if ( is_singular() ) {
     349        $output .= '<link rel="alternate" type="application/json+oembed" href="' . esc_url( get_oembed_endpoint_url( get_permalink() ) ) . '" />' . "\n";
     350        $output .= '<link rel="alternate" type="text/xml+oembed" href="' . esc_url( get_oembed_endpoint_url( get_permalink(), 'xml' ) ) . '" />' . "\n";
     351    }
     352
     353    /**
     354     * Filter the oEmbed discovery links.
     355     *
     356     * @since 4.4.0
     357     *
     358     * @param string $output HTML of the discovery links.
     359     */
     360    echo apply_filters( 'oembed_discovery_links', $output );
     361}
     362
     363/**
     364 * Add the necessary JavaScript to communicate with the embedded iframes.
     365 *
     366 * @since 4.4.0
     367 */
     368function wp_oembed_add_host_js() {
     369    wp_enqueue_script( 'wp-oembed' );
     370}
     371
     372
     373/**
     374 * Get the URL to embed a specific post in an iframe.
     375 *
     376 * @since 4.4.0
     377 *
     378 * @param int|WP_Post $post Optional. Post ID or object. Defaults to the current post.
     379 * @return string|false The post embed URL on success, false if the post doesn't exist.
     380 */
     381function get_post_embed_url( $post = null ) {
     382    $post = get_post( $post );
     383
     384    if ( ! $post ) {
     385        return false;
     386    }
     387
     388    if ( get_option( 'permalink_structure' ) ) {
     389        $embed_url = trailingslashit( get_permalink( $post ) ) . user_trailingslashit( 'embed' );
     390    } else {
     391        $embed_url = add_query_arg( array( 'embed' => 'true' ), get_permalink( $post ) );
     392    }
     393
     394    /**
     395     * Filter the URL to embed a specific post.
     396     *
     397     * @since 4.4.0
     398     *
     399     * @param string  $embed_url The post embed URL.
     400     * @param WP_Post $post      The corresponding post object.
     401     */
     402    return esc_url_raw( apply_filters( 'post_embed_url', $embed_url, $post ) );
     403}
     404
     405/**
     406 * Get the oEmbed endpoint URL for a given permalink.
     407 *
     408 * Pass an empty string as the first argument
     409 * to get the endpoint base URL.
     410 *
     411 * @since 4.4.0
     412 *
     413 * @param string $permalink Optional. The permalink used for the `url` query arg. Default empty.
     414 * @param string $format    Optional. The requested response format. Default 'json'.
     415 * @return string The oEmbed endpoint URL.
     416 */
     417function get_oembed_endpoint_url( $permalink = '', $format = 'json' ) {
     418    $url = add_query_arg( array( 'oembed' => 'true' ), home_url( '/' ) );
     419
     420    if ( 'json' === $format ) {
     421        $format = false;
     422    }
     423
     424    if ( '' !== $permalink ) {
     425        $url = add_query_arg( array(
     426            'url'    => $permalink,
     427            'format' => $format,
     428        ), $url );
     429    }
     430
     431    /**
     432     * Filter the oEmbed endpoint URL.
     433     *
     434     * @since 4.4.0
     435     *
     436     * @param string $url       The URL to the oEmbed endpoint.
     437     * @param string $permalink The permalink used for the `url` query arg.
     438     * @param string $format    The requested response format.
     439     */
     440    return apply_filters( 'oembed_endpoint_url', $url, $permalink, $format );
     441}
     442
     443/**
     444 * Get the embed code for a specific post.
     445 *
     446 * @since 4.4.0
     447 *
     448 * @param int|WP_Post $post   Optional. Post ID or object. Default is global `$post`.
     449 * @param int         $width  The width for the response.
     450 * @param int         $height The height for the response.
     451 * @return string|false Embed code on success, false if post doesn't exist.
     452 */
     453function get_post_embed_html( $post = null, $width, $height ) {
     454    $post = get_post( $post );
     455
     456    if ( ! $post ) {
     457        return false;
     458    }
     459
     460    $embed_url = get_post_embed_url( $post );
     461
     462    $output = "<script type='text/javascript'>\n";
     463    if ( SCRIPT_DEBUG ) {
     464        $output .= file_get_contents( ABSPATH . WPINC . '/js/wp-oembed.js' );
     465    } else {
     466        /*
     467         * If you're looking at a src version of this file, you'll see an "include"
     468         * statement below. This is used by the `grunt build` process to directly
     469         * include a minified version of wp-oembed.js, instead of using the
     470         * file_get_contents() method from above.
     471         *
     472         * If you're looking at a build version of this file, you'll see a string of
     473         * minified JavaScript. If you need to debug it, please turn on SCRIPT_DEBUG
     474         * and edit wp-oembed.js directly.
     475         */
     476        $output .=<<<JS
     477        include "js/wp-oembed.min.js"
     478JS;
     479    }
     480    $output .= "\n</script>";
     481
     482    $output .= sprintf(
     483        '<iframe sandbox="allow-scripts" security="restricted" src="%1$s" width="%2$d" height="%3$d" title="%4$s" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe>',
     484        esc_url( $embed_url ),
     485        absint( $width ),
     486        absint( $height ),
     487        esc_attr__( 'Embedded WordPress Post', 'oembed-api' )
     488    );
     489
     490    /**
     491     * Filters the oEmbed HTML output.
     492     *
     493     * @since 4.4.0
     494     *
     495     * @param string  $output The default HTML.
     496     * @param WP_Post $post   Current post object.
     497     * @param int     $width  Width of the response.
     498     * @param int     $height Height of the response.
     499     */
     500    return apply_filters( 'oembed_html', $output, $post, $width, $height );
     501}
     502
     503/**
     504 * Get the oEmbed response data for a given post.
     505 *
     506 * @since 4.4.0
     507 *
     508 * @param WP_Post|int $post  Optional. Post object or ID. Default is global `$post`.
     509 * @param int         $width The requested width.
     510 * @return array|false Response data on success, false if post doesn't exist.
     511 */
     512function get_oembed_response_data( $post = null, $width ) {
     513    $post = get_post( $post );
     514
     515    if ( ! $post ) {
     516        return false;
     517    }
     518
     519    if ( 'publish' !== get_post_status( $post ) ) {
     520        return false;
     521    }
     522
     523    /**
     524     * Filter the allowed minimum width for the oEmbed response.
     525     *
     526     * @param int $width The minimum width. Defaults to 200.
     527     */
     528    $minwidth = apply_filters( 'oembed_minwidth', 200 );
     529
     530    /**
     531     * Filter the allowed maximum width for the oEmbed response.
     532     *
     533     * @param int $width The maximum width. Defaults to 600.
     534     */
     535    $maxwidth = apply_filters( 'oembed_maxwidth', 600 );
     536
     537    if ( $width < $minwidth ) {
     538        $width = $minwidth;
     539    } else if ( $width > $maxwidth ) {
     540        $width = $maxwidth;
     541    }
     542
     543    $height = ceil( $width / 16 * 9 );
     544
     545    if ( 200 > $height ) {
     546        $height = 200;
     547    }
     548
     549    $data = array(
     550        'version'       => '1.0',
     551        'provider_name' => get_bloginfo( 'name' ),
     552        'provider_url'  => get_home_url(),
     553        'author_name'   => get_bloginfo( 'name' ),
     554        'author_url'    => get_home_url(),
     555        'title'         => $post->post_title,
     556        'type'          => 'link',
     557    );
     558
     559    $author = get_userdata( $post->post_author );
     560
     561    if ( $author ) {
     562        $data['author_name'] = $author->display_name;
     563        $data['author_url']  = get_author_posts_url( $author->ID );
     564    }
     565
     566    /**
     567     * Filter the oEmbed response data.
     568     *
     569     * @since 4.4.0
     570     *
     571     * @param array   $data   The response data.
     572     * @param WP_Post $post   The post object.
     573     * @param int     $width  The requested width.
     574     * @param int     $height The calculated height.
     575     */
     576    return apply_filters( 'oembed_response_data', $data, $post, $width, $height );
     577}
     578
     579/**
     580 * Filters the oEmbed response data to return an iframe embed code.
     581 *
     582 * @since 4.4.0
     583 *
     584 * @param array   $data   The response data.
     585 * @param WP_Post $post   The post object.
     586 * @param int     $width  The requested width.
     587 * @param int     $height The calculated height.
     588 * @return array The modified response data.
     589 */
     590function get_oembed_response_data_rich( $data, $post, $width, $height ) {
     591    $data['width']  = absint( $width );
     592    $data['height'] = absint( $height );
     593    $data['type']   = 'rich';
     594    $data['html']   = get_post_embed_html( $post, $width, $height );
     595
     596    // Add post thumbnail to response if available.
     597    $thumbnail_id = false;
     598
     599    if ( has_post_thumbnail( $post->ID ) ) {
     600        $thumbnail_id = get_post_thumbnail_id( $post->ID );
     601    }
     602
     603    if ( 'attachment' === get_post_type( $post ) ) {
     604        if ( wp_attachment_is_image( $post ) ) {
     605            $thumbnail_id = $post->ID;
     606        } else if ( wp_attachment_is( 'video', $post ) ) {
     607            $thumbnail_id = get_post_thumbnail_id( $post );
     608            $data['type'] = 'video';
     609        }
     610    }
     611
     612    if ( $thumbnail_id ) {
     613        list( $thumbnail_url, $thumbnail_width, $thumbnail_height ) = wp_get_attachment_image_src( $thumbnail_id, array( $width, 99999 ) );
     614        $data['thumbnail_url']    = $thumbnail_url;
     615        $data['thumbnail_width']  = $thumbnail_width;
     616        $data['thumbnail_height'] = $thumbnail_height;
     617    }
     618
     619    return $data;
     620}
     621
     622/**
     623 * Ensures that the specified format is either 'json' or 'xml'.
     624 *
     625 * @since 4.4.0
     626 *
     627 * @param string $format The oEmbed response format. Accepts 'json', 'xml'.
     628 * @return string The format, either 'xml' or 'json'. Default 'json'.
     629 */
     630function wp_oembed_ensure_format( $format ) {
     631    if ( ! in_array( $format, array( 'json', 'xml' ), true ) ) {
     632        return 'json';
     633    }
     634
     635    return $format;
     636}
     637
     638/**
     639 * Creates an XML string from a given array.
     640 *
     641 * @since 4.4.0
     642 * @access private
     643 *
     644 * @param array            $data The original oEmbed response data.
     645 * @param SimpleXMLElement $node Optional. XML node to append the result to recursively.
     646 * @return string|false XML string on success, false on error.
     647 */
     648function _oembed_create_xml( $data, $node = null ) {
     649    if ( ! is_array( $data ) || empty( $data ) ) {
     650        return false;
     651    }
     652
     653    if ( null === $node ) {
     654        $node = new SimpleXMLElement( '<oembed></oembed>' );
     655    }
     656
     657    foreach ( $data as $key => $value ) {
     658        if ( is_numeric( $key ) ) {
     659            $key = 'oembed';
     660        }
     661
     662        if ( is_array( $value ) ) {
     663            $item = $node->addChild( $key );
     664            _oembed_create_xml( $value, $item );
     665        } else {
     666            $node->addChild( $key, esc_html( $value ) );
     667        }
     668    }
     669
     670    return $node->asXML();
     671}
     672
     673/**
     674 * Filters the returned oEmbed HTML.
     675 *
     676 * If the $url isn't on the trusted providers list,
     677 * we need to filter the HTML heavily for security.
     678 *
     679 * Only filters 'rich' and 'html' response types.
     680 *
     681 * @since 4.4.0
     682 *
     683 * @param string $return The returned oEmbed HTML.
     684 * @param object $data   A data object result from an oEmbed provider.
     685 * @param string $url    The URL of the content to be embedded.
     686 * @return string The filtered and sanitized oEmbed result.
     687 */
     688function wp_filter_oembed_result( $return, $data, $url ) {
     689    if ( false === $return || ! in_array( $data->type, array( 'rich', 'video' ) ) ) {
     690        return $return;
     691    }
     692
     693    require_once( ABSPATH . WPINC . '/class-oembed.php' );
     694    $wp_oembed = _wp_oembed_get_object();
     695
     696    // Don't modify the HTML for trusted providers.
     697    if ( false !== $wp_oembed->get_provider( $url, array( 'discover' => false ) ) ) {
     698        return $return;
     699    }
     700
     701    $allowed_html = array(
     702        'iframe' => array(
     703            'src'          => true,
     704            'width'        => true,
     705            'height'       => true,
     706            'frameborder'  => true,
     707            'marginwidth'  => true,
     708            'marginheight' => true,
     709            'scrolling'    => true,
     710            'title'        => true,
     711            'class'        => true,
     712        ),
     713    );
     714
     715    $html = wp_kses( $return, $allowed_html );
     716    preg_match( '|^.*(<iframe.*?></iframe>).*$|m', $html, $iframes );
     717
     718    if ( empty( $iframes ) ) {
     719        return false;
     720    }
     721
     722    $html = str_replace( '<iframe', '<iframe sandbox="allow-scripts" security="restricted"', $iframes[1] );
     723
     724    preg_match( '/ src=[\'"]([^\'"]*)[\'"]/', $html, $results );
     725
     726    if ( ! empty( $results ) ) {
     727        $secret = wp_generate_password( 10, false );
     728
     729        $url = esc_url( "{$results[1]}#?secret=$secret" );
     730
     731        $html = str_replace( $results[0], " src=\"$url\" data-secret=\"$secret\"", $html );
     732    }
     733
     734    return $html;
     735}
     736
     737/**
     738 * Filters the string in the "more" link displayed after a trimmed excerpt.
     739 *
     740 * @since 4.4.0
     741 *
     742 * @param string $more_string The string shown within the more link.
     743 * @return string The modified excerpt.
     744 */
     745function wp_oembed_excerpt_more( $more_string ) {
     746    if ( ! is_embed() ) {
     747        return $more_string;
     748    }
     749
     750    return sprintf(
     751        _x( '&hellip; %s', 'read more link', 'oembed-api' ),
     752        sprintf(
     753            '<a class="wp-embed-more" href="%s" target="_top">%s</a>',
     754            get_the_permalink(),
     755            __( 'Read more', 'oembed-api' )
     756        )
     757    );
     758}
     759
     760/**
     761 * Display the post excerpt for the embed template.
     762 *
     763 * @since 4.4.0
     764 */
     765function the_excerpt_embed() {
     766    $output = get_the_excerpt();
     767
     768    /**
     769     * Filter the post excerpt for the embed template.
     770     *
     771     * @param string $output The current post excerpt.
     772     */
     773    echo apply_filters( 'the_excerpt_embed', $output );
     774}
     775
     776/**
     777 * Filters the post excerpt for the embed template.
     778 *
     779 * Shows players for video and audio attachments.
     780 *
     781 * @since 4.4.0
     782 *
     783 * @param string $content The current post excerpt.
     784 * @return string The modified post excerpt.
     785 */
     786function wp_oembed_excerpt_attachment( $content ) {
     787    if ( is_attachment() ) {
     788        return prepend_attachment( '' );
     789    }
     790
     791    return $content;
     792}
     793
     794/**
     795 * Print the CSS in the embed iframe header.
     796 *
     797 * @since 4.4.0
     798 */
     799function print_oembed_embed_styles() {
     800    ?>
     801    <style type="text/css">
     802    <?php
     803        if ( WP_DEBUG ) {
     804            readfile( ABSPATH . WPINC . "/css/wp-oembed-embed.css" );
     805        } else {
     806            /*
     807             * If you're looking at a src version of this file, you'll see an "include"
     808             * statement below. This is used by the `grunt build` process to directly
     809             * include a minified version of wp-oembed-embed.css, instead of using the
     810             * readfile() method from above.
     811             *
     812             * If you're looking at a build version of this file, you'll see a string of
     813             * minified CSS. If you need to debug it, please turn on WP_DEBUG
     814             * and edit wp-oembed-embed.css directly.
     815             */
     816            ?>
     817            include "css/wp-oembed-embed.min.css"
     818            <?php
     819        }
     820    ?>
     821    </style>
     822    <?php
     823}
     824
     825/**
     826 * Print the CSS in the embed iframe header.
     827 *
     828 * @since 4.4.0
     829 */
     830function print_oembed_embed_scripts() {
     831    ?>
     832    <script type="text/javascript">
     833    <?php
     834        if ( SCRIPT_DEBUG ) {
     835            readfile( ABSPATH . WPINC . "/js/wp-oembed-embed.js" );
     836        } else {
     837            /*
     838             * If you're looking at a src version of this file, you'll see an "include"
     839             * statement below. This is used by the `grunt build` process to directly
     840             * include a minified version of wp-oembed-embed.js, instead of using the
     841             * readfile() method from above.
     842             *
     843             * If you're looking at a build version of this file, you'll see a string of
     844             * minified JavaScript. If you need to debug it, please turn on SCRIPT_DEBUG
     845             * and edit wp-oembed-embed.js directly.
     846             */
     847            ?>
     848            include "js/wp-oembed-embed.min.js"
     849            <?php
     850        }
     851    ?>
     852    </script>
     853    <?php
     854}
Note: See TracChangeset for help on using the changeset viewer.