Make WordPress Core


Ignore:
File:
1 edited

Legend:

Unmodified
Added
Removed
  • tags/6.2.1/src/js/_enqueues/wp/embed.js

    r59504 r59504  
    5050        var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
    5151            blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
     52            allowedProtocols = new RegExp( '^https?:$', 'i' ),
    5253            i, source, height, sourceURL, targetURL;
    5354
     
    8485                sourceURL.href = source.getAttribute( 'src' );
    8586                targetURL.href = data.value;
     87
     88                /* Only follow link if the protocol is in the allow list. */
     89                if ( ! allowedProtocols.test( targetURL.protocol ) ) {
     90                    continue;
     91                }
    8692
    8793                /* Only continue if link hostname matches iframe's hostname. */
Note: See TracChangeset for help on using the changeset viewer.