Make WordPress Core

Changeset 55768


Ignore:
Timestamp:
05/16/2023 02:45:37 PM (19 months ago)
Author:
audrasjb
Message:

Embeds: Add protocol validation for WordPress Embed code.

Validate that links within auto-discovered embeds are using the http or https protocols before following links.

Props xknown, dd32, peterwilsoncc.
Merges [55763] to branch 6.2.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/6.2/src/js/_enqueues/wp/embed.js

    r52132 r55768  
    5050        var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
    5151            blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
     52            allowedProtocols = new RegExp( '^https?:$', 'i' ),
    5253            i, source, height, sourceURL, targetURL;
    5354
     
    8485                sourceURL.href = source.getAttribute( 'src' );
    8586                targetURL.href = data.value;
     87
     88                /* Only follow link if the protocol is in the allow list. */
     89                if ( ! allowedProtocols.test( targetURL.protocol ) ) {
     90                    continue;
     91                }
    8692
    8793                /* Only continue if link hostname matches iframe's hostname. */
Note: See TracChangeset for help on using the changeset viewer.