[wp-trac] [WordPress Trac] #28195: Preview embeds with wpview and auto embed on paste
WordPress Trac
noreply at wordpress.org
Sun May 11 22:52:30 UTC 2014
#28195: Preview embeds with wpview and auto embed on paste
-------------------------+-------------------------
Reporter: avryl | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: 4.0
Component: Media | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses: javascript
-------------------------+-------------------------
Comment (by azaozz):
This looks fun but don't think it will work in its current form. Appending
arbitrary JS that comes with the embeds in the editor is (very)
undesirable.
If the embed is "insulated" in an iframe, all seems good as long as it
doesn't touch anything outside the iframe (for example youtube). However
when the embed is not insulated, the included JS would affect the editor
in unpredictable ways. Don't think this is much of a security concern (we
trust the providers). Rather that JS is intended for the front-end and
would manipulate the DOM, attach events, etc. outside of the "wrapper"
element. For example embedding a tweet appends an `<iframe id="rufous-
sandbox" style="display: none;"...` to the editor body.
To make this work, all embeds will have to be in iframes in the editor.
Played a bit with inserting an iframe instead of fetching the HTML with
ajax. That would still hit the server simultaneously for all embeds every
time the editor DOM is rebuild. Another approach would be to create the
iframe with JS when needed, similarly to how the TinyMCE iframe is
created. That would either need to do document.write() or append any JS to
the iframe head (unfortunately IE doesn't support `srcdoc` for iframes).
However it would be possible to cache the initial HTML instead of
requesting it every time.
Both of these would need setting the iframe height after it has been fully
loaded.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/28195#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list