Changeset 35577

Timestamp:

11/09/2015 12:07:03 AM (10 years ago)

Author:

pento

Message:

Embeds: Fix support for embedding in non-WordPress sites.

This moves the last of the iframe message code from PHP to JavaScript, so it can be included in any site, without needing to rely on any of WordPress' internal behaviour.

Props swissspidy.

Fixes #34451.

Location:

trunk

Files:

• src/wp-includes/embed-functions.php (modified) (5 diffs)
• src/wp-includes/js/wp-embed-template.js (modified) (2 diffs)
• src/wp-includes/js/wp-embed.js (modified) (1 diff)
• tests/phpunit/tests/oembed/filterResult.php (modified) (3 diffs)

trunk/src/wp-includes/embed-functions.php

@@ -461 +461 @@
     $embed_url = get_post_embed_url( $post );
 
-    $output = '<blockquote><a href="' . get_permalink( $post ) . '">' . get_the_title( $post ) . "</a></blockquote>\n";
+    $output = '<blockquote class="wp-embedded-content"><a href="' . esc_url( get_permalink( $post ) ) . '">' . get_the_title( $post ) . "</a></blockquote>\n";
 
     $output .= "<script type='text/javascript'>\n";
@@ -755 +755 @@
     $allowed_html = array(
         'a'          => array(
-                    'href' => true,
+            'href'         => true,
         ),
         'blockquote' => array(),
@@ -767 +767 @@
             'scrolling'    => true,
             'title'        => true,
-            'class'        => true,
         ),
     );
@@ -783 +782 @@
         // We have a blockquote to fall back on. Hide the iframe by default.
         $html = str_replace( '<iframe', '<iframe style="display:none;"', $html );
-    }
-
-    $html = str_replace( '<iframe', '<iframe sandbox="allow-scripts" security="restricted"', $html );
+        $html = str_replace( '<blockquote', '<blockquote class="wp-embedded-content"', $html );
+    }
+
+    $html = str_replace( '<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html );
 
     preg_match( '/ src=[\'"]([^\'"]*)[\'"]/', $html, $results );
@@ -957 +957 @@
  */
 function _oembed_filter_feed_content( $content ) {
-    return str_replace( '<iframe sandbox="allow-scripts" security="restricted" style="display:none;"', '<iframe sandbox="allow-scripts" security="restricted"', $content );
-}
+    return str_replace( '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="display:none;"', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $content );
+}

trunk/src/wp-includes/js/wp-embed-template.js

@@ -2 +2 @@
     'use strict';
 
-    var secret = window.location.hash.replace( /.*secret=([\d\w]{10}).*/, '$1' ),
-        supportedBrowser = ( document.querySelector && window.addEventListener ),
+    var supportedBrowser = ( document.querySelector && window.addEventListener ),
         loaded = false,
+        secret,
+        secretTimeout,
         resizing;
 
@@ -178 +179 @@
     }
 
+    /**
+     * Re-get the secret when it was added later on.
+     */
+    function getSecret() {
+        if ( window.self === window.top || !!secret ) {
+            return;
+        }
+
+        secret = window.location.hash.replace( /.*secret=([\d\w]{10}).*/, '$1' );
+
+        clearTimeout( secretTimeout );
+
+        secretTimeout = setTimeout( function () {
+            getSecret();
+        }, 100 );
+    }
+
     if ( supportedBrowser ) {
+        getSecret();
         document.documentElement.className = document.documentElement.className.replace( /\bno-js\b/, '' ) + ' js';
         document.addEventListener( 'DOMContentLoaded', onLoad, false );

trunk/src/wp-includes/js/wp-embed.js

@@ -65 +65 @@
 
         var isIE10 = -1 !== navigator.appVersion.indexOf( 'MSIE 10' ),
-            isIE11 = !!navigator.userAgent.match( /Trident.*rv\:11\./ ),
-            iframes, iframeClone, i;
+            isIE11 = !!navigator.userAgent.match( /Trident.*rv:11\./ ),
+            iframes = document.querySelectorAll( 'iframe.wp-embedded-content' ),
+            blockquotes = document.querySelectorAll( 'blockquote.wp-embedded-content' ),
+            iframeClone, i, source, secret;
 
-        /* Remove security attribute from iframes in IE10 and IE11. */
-        if ( isIE10 || isIE11 ) {
-            iframes = document.querySelectorAll( '.wp-embedded-content[security]' );
+        for ( i = 0; i < blockquotes.length; i++ ) {
+            blockquotes[ i ].style.display = 'none';
+        }
 
-            for ( i = 0; i < iframes.length; i++ ) {
-                iframeClone = iframes[ i ].cloneNode( true );
+        for ( i = 0; i < iframes.length; i++ ) {
+            source = iframes[ i ];
+            source.style.display = '';
+
+            if ( !source.getAttribute( 'data-secret' ) ) {
+                /* Add secret to iframe */
+                secret = Math.random().toString( 36 ).substr( 2, 10 );
+                source.src += '#?secret=' + secret;
+                source.setAttribute( 'data-secret', secret );
+            }
+
+            /* Remove security attribute from iframes in IE10 and IE11. */
+            if ( ( isIE10 || isIE11 ) && !!source.getAttribute( 'security' ) ) {
+                iframeClone = source.cloneNode( true );
                 iframeClone.removeAttribute( 'security' );
-                iframes[ i ].parentNode.replaceChild( iframeClone, iframes[ i ] );
+                source.parentNode.replaceChild( iframeClone, source );
             }
         }

trunk/tests/phpunit/tests/oembed/filterResult.php

@@ -29 +29 @@
         $actual = wp_filter_oembed_result( $html, (object) array( 'type' => 'rich' ), '' );
 
-        $this->assertEquals( '<iframe sandbox="allow-scripts" security="restricted"></iframe>', $actual );
+        $this->assertEquals( '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"></iframe>', $actual );
     }
 
@@ -42 +42 @@
         $actual = wp_filter_oembed_result( $html, (object) array( 'type' => 'rich' ), '' );
 
-        $this->assertEquals( '<iframe sandbox="allow-scripts" security="restricted"></iframe>', $actual );
+        $this->assertEquals( '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"></iframe>', $actual );
     }
 
@@ -84 +84 @@
         $actual = wp_filter_oembed_result( $html, (object) array( 'type' => 'rich' ), '' );
 
-        $this->assertEquals( '<blockquote></blockquote><iframe sandbox="allow-scripts" security="restricted" style="display:none;"></iframe>', $actual );
+        $this->assertEquals( '<blockquote class="wp-embedded-content"></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="display:none;"></iframe>', $actual );
     }
 
     function test_filter_oembed_result_allowed_html() {
-        $html   = '<blockquote><strong><a href="" target=""></a></strong></blockquote><iframe></iframe>';
+        $html   = '<blockquote class="foo" id="bar"><strong><a href="" target=""></a></strong></blockquote><iframe></iframe>';
         $actual = wp_filter_oembed_result( $html, (object) array( 'type' => 'rich' ), '' );
 
-        $this->assertEquals( '<blockquote><a href=""></a></blockquote><iframe sandbox="allow-scripts" security="restricted" style="display:none;"></iframe>', $actual );
+        $this->assertEquals( '<blockquote class="wp-embedded-content"><a href=""></a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="display:none;"></iframe>', $actual );
+    }
+
+    /**
+     * @group feed
+     */
+    function test_filter_feed_content() {
+        $html   = '<blockquote></blockquote><iframe></iframe>';
+        $actual = _oembed_filter_feed_content( wp_filter_oembed_result( $html, (object) array( 'type' => 'rich' ), '' ) );
+
+        $this->assertEquals( '<blockquote class="wp-embedded-content"></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"></iframe>', $actual );
     }
 }