Make WordPress Core

Changeset 41448


Ignore:
Timestamp:
09/19/2017 01:41:52 PM (7 years ago)
Author:
aaroncampbell
Message:

oEmbed: Add extra hardening around allowed HTML for improved sandboxing.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/embed.php

    r40945 r41448  
    754754    $html = $content[1] . $content[2];
    755755
     756    preg_match( '/ src=([\'"])(.*?)\1/', $html, $results );
     757
     758    if ( ! empty( $results ) ) {
     759        $secret = wp_generate_password( 10, false );
     760
     761        $url = esc_url( "{$results[2]}#?secret=$secret" );
     762        $q = $results[1];
     763
     764        $html = str_replace( $results[0], ' src=' . $q . $url . $q . ' data-secret=' . $q . $secret . $q, $html );
     765        $html = str_replace( '<blockquote', "<blockquote data-secret=\"$secret\"", $html );
     766    }
     767
     768    $allowed_html['blockquote']['data-secret'] = true;
     769    $allowed_html['iframe']['data-secret'] = true;
     770
     771    $html = wp_kses( $html, $allowed_html );
     772
    756773    if ( ! empty( $content[1] ) ) {
    757774        // We have a blockquote to fall back on. Hide the iframe by default.
     
    760777    }
    761778
    762     $html = str_replace( '<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html );
    763 
    764     preg_match( '/ src=[\'"]([^\'"]*)[\'"]/', $html, $results );
    765 
    766     if ( ! empty( $results ) ) {
    767         $secret = wp_generate_password( 10, false );
    768 
    769         $url = esc_url( "{$results[1]}#?secret=$secret" );
    770 
    771         $html = str_replace( $results[0], " src=\"$url\" data-secret=\"$secret\"", $html );
    772         $html = str_replace( '<blockquote', "<blockquote data-secret=\"$secret\"", $html );
    773     }
     779    $html = str_ireplace( '<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html );
    774780
    775781    return $html;
Note: See TracChangeset for help on using the changeset viewer.