Opened 5 months ago
Last modified 5 months ago
#61127 new enhancement
Make `wp_filter_oembed_result` less strict
Reported by: | swissspidy | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 4.4 |
Component: | Embeds | Keywords: | has-patch needs-unit-tests |
Focuses: | Cc: |
Description
This is something I noticed while reviewing the Bluesky oEmbed endpoint in #61020.
Said provider returns data such as this:
{ type: "rich", version: "1.0", author_name: "Bluesky (@bsky.app)", author_url: "https://bsky.app/profile/bsky.app", provider_url: "Bluesky Social", cache_age: 86400, width: 600, height: null, html: "<blockquote class="bluesky-embed" data-bluesky-uri="at://did:plc:z72i7hdynmk6r22z27h6tvur/app.bsky.feed.post/3kqjaq2begs2s" data-bluesky-cid="bafyreiemvzul73xccne3qzfn2jbinn5yq3yk2gpvi2xlr2bxfva6fvb6m4"><p lang="en">We're always excited to welcome journalists and news organizations to Bluesky! 🗞️ Journalists have continuously been one of the backbones of social media. It's incredibly important to have a space for healthy real-time discussion. 📧 press@blueskyweb.xyz 🙋 Press FAQ: bsky.social/about/blog/p...</p>— <a href="https://bsky.app/profile/did:plc:z72i7hdynmk6r22z27h6tvur?ref_src=embed">Bluesky (@bsky.app)</a> <a href="https://bsky.app/profile/did:plc:z72i7hdynmk6r22z27h6tvur/post/3kqjaq2begs2s?ref_src=embed">2024-04-19T21:21:32.853Z</a></blockquote><script async src="https://embed.bsky.app/static/embed.js" charset="utf-8"></script>" }
The HTML contains a <blockquote>
with some <p>
and <a>
in it, and a <script>
tag.
Right now, this provider isn't in the allowlist, so when I try to embed it, WordPress successfully gets the HTML, but then wp_filter_oembed_result
strips all markup because while it contains a <blockquote>
(which is allowed), it does not contain an <iframe>
(which the function requires). So wp_filter_oembed_result
and ultimately the wp-json/oembed/1.0/proxy
REST endpoint return false
for the html
property, which means no embed is happening, and all you get on the frontend is the URL of the Bluesky post, and it is not even linked.
To improve the experience with such untrusted providers, I think we could at least allow standalone <blockquote>
and <p>
tags without requiring an <iframe>
.
Trac ticket: https://core.trac.wordpress.org/ticket/61127