WordPress.org
Get WordPress

Make WordPress Core

Opened 15 months ago

Last modified 5 months ago

#61127 new enhancement

Make `wp_filter_oembed_result` less strict

Reported by: swissspidy's profile swissspidy Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.4
Component: Embeds Keywords: has-patch has-unit-tests
Focuses: Cc:

Description

This is something I noticed while reviewing the Bluesky oEmbed endpoint in #61020.

Said provider returns data such as this:

{
type: "rich",
version: "1.0",
author_name: "Bluesky (@bsky.app)",
author_url: "https://bsky.app/profile/bsky.app",
provider_url: "Bluesky Social",
cache_age: 86400,
width: 600,
height: null,
html: "<blockquote class="bluesky-embed" data-bluesky-uri="at://did:plc:z72i7hdynmk6r22z27h6tvur/app.bsky.feed.post/3kqjaq2begs2s" data-bluesky-cid="bafyreiemvzul73xccne3qzfn2jbinn5yq3yk2gpvi2xlr2bxfva6fvb6m4"><p lang="en">We&#39;re always excited to welcome journalists and news organizations to Bluesky! 🗞️

Journalists have continuously been one of the backbones of social media. It&#39;s incredibly important to have a space for healthy real-time discussion.

📧 press@blueskyweb.xyz
🙋 Press FAQ: bsky.social/about/blog/p...</p>&mdash; <a href="https://bsky.app/profile/did:plc:z72i7hdynmk6r22z27h6tvur?ref_src=embed">Bluesky (@bsky.app)</a> <a href="https://bsky.app/profile/did:plc:z72i7hdynmk6r22z27h6tvur/post/3kqjaq2begs2s?ref_src=embed">2024-04-19T21:21:32.853Z</a></blockquote><script async src="https://embed.bsky.app/static/embed.js" charset="utf-8"></script>"
}

The HTML contains a <blockquote> with some <p> and <a> in it, and a <script> tag.

Right now, this provider isn't in the allowlist, so when I try to embed it, WordPress successfully gets the HTML, but then wp_filter_oembed_result strips all markup because while it contains a <blockquote> (which is allowed), it does not contain an <iframe> (which the function requires). So wp_filter_oembed_result and ultimately the wp-json/oembed/1.0/proxy REST endpoint return false for the html property, which means no embed is happening, and all you get on the frontend is the URL of the Bluesky post, and it is not even linked.

To improve the experience with such untrusted providers, I think we could at least allow standalone <blockquote> and <p> tags without requiring an <iframe>.

Change History (4)

#1 @swissspidy
15 months ago

  • Keywords needs-unit-tests added

This ticket was mentioned in PR #6484 on WordPress/wordpress-develop by @swissspidy.
15 months ago #2

  • Keywords needs-unit-tests removed

Trac ticket: https://core.trac.wordpress.org/ticket/61127

#3 @swissspidy
15 months ago

  • Keywords needs-unit-tests added

This ticket was mentioned in PR #8300 on WordPress/wordpress-develop by @sainathpoojary.
5 months ago #4

  • Keywords has-unit-tests added; needs-unit-tests removed

### Summary
This PR resolves conflicts from PR #6484 and adds unit tests to ensure proper behavior of wp_filter_oembed_result().

### Changes

  • Resolved merge conflicts from the previous PR.
  • Added test cases to verify:
    • Paragraphs inside blockquotes are preserved.
    • Multiple paragraphs within blockquotes render correctly.
    • Inline elements (e.g., links) remain intact.

### Testing Instructions

  1. Run PHPUnit tests: 
     npm run test:php -- --filter=Tests_Filter_oEmbed_Result
  2. Ensure all tests pass successfully.

Trac Ticket: #61127

Note: See TracTickets for help on using tickets.