[wp-trac] [WordPress Trac] #41746: oEmbed does not respect canonical provider url parameter

WordPress Trac noreply at wordpress.org
Mon Aug 28 20:30:47 UTC 2017 

#41746: oEmbed does not respect canonical provider url parameter
--------------------------+-----------------------------
 Reporter:  dougal        |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Embeds        |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 I came across a Twitter URL format that would not embed correctly.
 Providing that URL to their provider endpoint returned an error. But the
 original page had a `<link>` element which already had a working,
 canonical `url` parameter in its querystring.

 An example URL is:
 {{{https://twitter.com/i/web/status/898599373956722688}}}

 If you try to fetch oEmbed data for that URL by just adding it as a `url`
 querystring parameter on the standard Twitter oEmbed provider URL, it will
 return an error.

 But view source on that page, and you'll see:
 {{{<link rel="alternate" type="application/json+oembed"
 href="https://publish.twitter.com/oembed?url=https://twitter.com/dimensionmedia/status/898599373956722688"
 title="David Bisset on Twitter: "Agorakit is a web based open source
 "groupware for citizens initiatives” (which i’ve seen @buddypress
 used for too) https://t.co/bFPw9ZZWi2 https://t.co/H1REt0QfcO"">}}}

 Note that the path of this URL is `.../{username}/status/{id}`, whereas
 the original URL was `.../i/web/status/{id}`.

 I've worked out a small patch and method for getting WordPress to use
 oEmbed discovery to extract and use the canonical URL.

 When using `wp_oembed_add_provider()`, if you leave the provider URL
 falsey, then `WP_oEmbed::get_provider()` will use discovery to find it
 (assuming that you haven't forced `discovery = false` in `$args`). Then my
 patch will pull the `url` arg from there and use that, instead of the
 original URL that was passed in to the embed handling.

 Later, when the JSON response is being handled, the code will still be
 able to see whether this is a whitelisted URL pattern, and bypass/perform
 security filtering such as `kses()` (see `wp_filter_oembed_result()`).

--
Ticket URL: <https://core.trac.wordpress.org/ticket/41746>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list