_oembed_create_xml() uses SimpleXML, which can be disabled

[johnbillion]

_oembed_create_xml() uses the SimpleXMLElement class without first detecting whether it's available. Unfortunately, the simplexml extension can be disabled.

Introduced in [34903].

[swissspidy]

In which other places does core generate XML data? It would be great to have 1 standard function or class to generate XML.

[swissspidy]

As discussed in the dev chat, string building might be the only option here. I've chatted with @rmccue about this before, so it'd be great to have his opinion on this.

Notes:

There’s a WXR CDATA function we may want to have wrap something more general if we want to use it.

Last resort:

Another option would be to remove XML support from the oEmbed endpoint.

[johnbillion]

Adding to the list of options: require SimpleXML for XML oEmbed endpoints, return a 501 if it's been disabled.

[rmccue]

We build XML via string manipulation in a lot of places (urgh), so that's an option, albeit a sucky one. If we do that, we need to be extremely careful about sanitisation, and not producing invalid UTF-8.

I'd prefer not to; I think we could probably get away with a 501, since I'd expect lots of people are using JSON anyway. It's optional per the oEmbed spec anyway. (We could probably remove all of the XML handling if we really wanted; @swissspidy would know more about compatibility though.)

[swissspidy]

Option A: Check for SimpleXML availability

[swissspidy]

Option B: Remove XML endpoint completely

[swissspidy]

We ​originally added XML support to the plugin because it seemed easy to do so. Before that, we sent a 501 when requesting something else than JSON.

Using string building isn't my favorite option. Checking for SimpleXML and sending a 501 if it isn't available is easier (see 34274_a.diff​).

However, I don't think there really are many people using XML for oEmbed. Removing that completely would simplify many parts of the oEmbed functionality (see 34274_b.diff​). If someone really wants XML, I can write a plugin for that.

When considering that the REST API is JSON-only and we might use that for the endpoint (see #34207), encouraging users to use JSON would make even more sense.

[Viper007Bond]

I think it's worth keeping XML support even if it's the less popular option, but I agree that it's fine to 501 in the event that SimpleXML isn't supported.

[swissspidy]

Let's go with 34274_a.diff​ then.

[wonderboymusic]

In 35354:

oEmbed: if SimpleXMLElement does not exist, return an HTTP Error 501 Not implemented response.

Props swissspidy.
Fixes #34274.