Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#43136 closed defect (bug) (invalid)

WP_oEmbed_Controller->get_item() returns a blockquote without the data-secret attribute

Reported by: imath's profile imath Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.4
Component: Embeds Keywords: has-patch has-unit-tests
Focuses: rest-api Cc:



Working on an issue with Gutenberg about self embed posts, i've noticed this Rest controller's callback (get_item()) was not returning a reply containing the data-secret attributes the wp-embed.js script needs in order to hide the blockquote.

That's probably because the filter pre_oembed_result is not fired. Resetting the $data['html'] using the wp_filter_pre_oembed_result() is making sure the data-secret attribute is added when returning the reply.

Attachments (1)

43136.diff (1.5 KB) - added by imath 6 years ago.

Download all attachments as: .zip

Change History (4)

6 years ago

#1 @imath
6 years ago

  • Keywords has-patch has-unit-tests added

#2 @swissspidy
6 years ago

  • Version changed from trunk to 4.4

For some history: this goes all the way back to

Shouldn't the wp-embed.js script add secrets if they're missing? If that's not working properly, I'd fix that in the JS.

@pento Perhaps you remember this better than I do :-)

#3 @pento
6 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

The current behaviour of the endpoint is correct, the secret must to be added by the embedding site, not the embedded site.

If the embedded site were to provide a secret that the embedding site then trusted, it could potentially give a secret that another embed on the same page is using. That would allow the embedded site to break out of the iframe on page load (instead of when it's being interacted with), or prevent other embedded sites from functioning correctly.

I'm going to close this issue, and review the Gutenberg issue.

Note: See TracTickets for help on using tickets.