[wp-trac] [WordPress Trac] #61127: Make `wp_filter_oembed_result` less strict

WordPress Trac noreply at wordpress.org
Thu May 2 10:09:08 UTC 2024 

#61127: Make `wp_filter_oembed_result` less strict
-------------------------+-----------------------------
 Reporter:  swissspidy   |      Owner:  (none)
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  Embeds       |    Version:  4.4
 Severity:  normal       |   Keywords:  has-patch
  Focuses:               |
-------------------------+-----------------------------
 This is something I noticed while reviewing the Bluesky oEmbed endpoint in
 #61020.

 Said provider returns data such as this:


 {{{
 {
 type: "rich",
 version: "1.0",
 author_name: "Bluesky (@bsky.app)",
 author_url: "https://bsky.app/profile/bsky.app",
 provider_url: "Bluesky Social",
 cache_age: 86400,
 width: 600,
 height: null,
 html: "<blockquote class="bluesky-embed" data-bluesky-
 uri="at://did:plc:z72i7hdynmk6r22z27h6tvur/app.bsky.feed.post/3kqjaq2begs2s"
 data-bluesky-
 cid="bafyreiemvzul73xccne3qzfn2jbinn5yq3yk2gpvi2xlr2bxfva6fvb6m4"><p
 lang="en">We're always excited to welcome journalists and news
 organizations to Bluesky! 🗞️

 Journalists have continuously been one of the backbones of social media.
 It's incredibly important to have a space for healthy real-time
 discussion.

 📧 press at blueskyweb.xyz
 🙋 Press FAQ: bsky.social/about/blog/p...</p>— <a
 href="https://bsky.app/profile/did:plc:z72i7hdynmk6r22z27h6tvur?ref_src=embed">Bluesky
 (@bsky.app)</a> <a
 href="https://bsky.app/profile/did:plc:z72i7hdynmk6r22z27h6tvur/post/3kqjaq2begs2s?ref_src=embed">2024-04-19T21:21:32.853Z</a></blockquote><script
 async src="https://embed.bsky.app/static/embed.js"
 charset="utf-8"></script>"
 }
 }}}

 The HTML contains a `<blockquote>` with some `<p>` and `<a>` in it, and a
 `<script>` tag.

 Right now, this provider isn't in the allowlist, so when I try to embed
 it, WordPress successfully gets the HTML, but then
 `wp_filter_oembed_result` strips all markup because while it contains a
 `<blockquote>` (which is allowed), it does not contain an `<iframe>`
 (which the function requires). So `wp_filter_oembed_result` and ultimately
 the `wp-json/oembed/1.0/proxy` REST endpoint return `false` for the `html`
 property, which means no embed is happening, and all you get on the
 frontend is the URL of the Bluesky post, and it is not even linked.

 To improve the experience with such untrusted providers, I think we could
 at least allow standalone `<blockquote>` and `<p>` tags without requiring
 an `<iframe>`.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/61127>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list