Make WordPress Core

Opened 4 weeks ago

Last modified 4 weeks ago

#61127 new enhancement

Make `wp_filter_oembed_result` less strict

Reported by: swissspidy's profile swissspidy Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.4
Component: Embeds Keywords: has-patch needs-unit-tests
Focuses: Cc:

Description

This is something I noticed while reviewing the Bluesky oEmbed endpoint in #61020.

Said provider returns data such as this:

{
type: "rich",
version: "1.0",
author_name: "Bluesky (@bsky.app)",
author_url: "https://bsky.app/profile/bsky.app",
provider_url: "Bluesky Social",
cache_age: 86400,
width: 600,
height: null,
html: "<blockquote class="bluesky-embed" data-bluesky-uri="at://did:plc:z72i7hdynmk6r22z27h6tvur/app.bsky.feed.post/3kqjaq2begs2s" data-bluesky-cid="bafyreiemvzul73xccne3qzfn2jbinn5yq3yk2gpvi2xlr2bxfva6fvb6m4"><p lang="en">We&#39;re always excited to welcome journalists and news organizations to Bluesky! 🗞️

Journalists have continuously been one of the backbones of social media. It&#39;s incredibly important to have a space for healthy real-time discussion.

📧 press@blueskyweb.xyz
🙋 Press FAQ: bsky.social/about/blog/p...</p>&mdash; <a href="https://bsky.app/profile/did:plc:z72i7hdynmk6r22z27h6tvur?ref_src=embed">Bluesky (@bsky.app)</a> <a href="https://bsky.app/profile/did:plc:z72i7hdynmk6r22z27h6tvur/post/3kqjaq2begs2s?ref_src=embed">2024-04-19T21:21:32.853Z</a></blockquote><script async src="https://embed.bsky.app/static/embed.js" charset="utf-8"></script>"
}

The HTML contains a <blockquote> with some <p> and <a> in it, and a <script> tag.

Right now, this provider isn't in the allowlist, so when I try to embed it, WordPress successfully gets the HTML, but then wp_filter_oembed_result strips all markup because while it contains a <blockquote> (which is allowed), it does not contain an <iframe> (which the function requires). So wp_filter_oembed_result and ultimately the wp-json/oembed/1.0/proxy REST endpoint return false for the html property, which means no embed is happening, and all you get on the frontend is the URL of the Bluesky post, and it is not even linked.

To improve the experience with such untrusted providers, I think we could at least allow standalone <blockquote> and <p> tags without requiring an <iframe>.

Change History (3)

#1 @swissspidy
4 weeks ago

  • Keywords needs-unit-tests added

This ticket was mentioned in PR #6484 on WordPress/wordpress-develop by @swissspidy.


4 weeks ago
#2

  • Keywords needs-unit-tests removed

#3 @swissspidy
4 weeks ago

  • Keywords needs-unit-tests added
Note: See TracTickets for help on using tickets.