Make WordPress Core


Ignore:
Timestamp:
10/12/2023 12:45:49 PM (12 months ago)
Author:
audrasjb
Message:

Shortcodes: Restrict ajax handler for media shortcode.

Props tykoted, xknown, peterwilsoncc, antpb, jorbin.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/ajax-actions.php

    r56549 r56838  
    38833883    $shortcode = wp_unslash( $_POST['shortcode'] );
    38843884
     3885    // Only process previews for media related shortcodes:
     3886    $found_shortcodes = get_shortcode_tags_in_content( $shortcode );
     3887    $media_shortcodes = array(
     3888        'audio',
     3889        'embed',
     3890        'playlist',
     3891        'video',
     3892        'gallery',
     3893    );
     3894
     3895    $other_shortcodes = array_diff( $found_shortcodes, $media_shortcodes );
     3896
     3897    if ( ! empty( $other_shortcodes ) ) {
     3898        wp_send_json_error();
     3899    }
     3900
    38853901    if ( ! empty( $_POST['post_ID'] ) ) {
    38863902        $post = get_post( (int) $_POST['post_ID'] );
     
    38893905    // The embed shortcode requires a post.
    38903906    if ( ! $post || ! current_user_can( 'edit_post', $post->ID ) ) {
    3891         if ( 'embed' === $shortcode ) {
     3907        if ( in_array( 'embed', $found_shortcodes, true ) ) {
    38923908            wp_send_json_error();
    38933909        }
Note: See TracChangeset for help on using the changeset viewer.