[wp-trac] [WordPress Trac] #41746: oEmbed does not respect canonical provider url parameter
WordPress Trac
noreply at wordpress.org
Mon Aug 28 20:30:47 UTC 2017
#41746: oEmbed does not respect canonical provider url parameter
--------------------------+-----------------------------
Reporter: dougal | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Embeds | Version: trunk
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
I came across a Twitter URL format that would not embed correctly.
Providing that URL to their provider endpoint returned an error. But the
original page had a `<link>` element which already had a working,
canonical `url` parameter in its querystring.
An example URL is:
{{{https://twitter.com/i/web/status/898599373956722688}}}
If you try to fetch oEmbed data for that URL by just adding it as a `url`
querystring parameter on the standard Twitter oEmbed provider URL, it will
return an error.
But view source on that page, and you'll see:
{{{<link rel="alternate" type="application/json+oembed"
href="https://publish.twitter.com/oembed?url=https://twitter.com/dimensionmedia/status/898599373956722688"
title="David Bisset on Twitter: "Agorakit is a web based open source
"groupware for citizens initiatives” (which i’ve seen @buddypress
used for too) https://t.co/bFPw9ZZWi2 https://t.co/H1REt0QfcO"">}}}
Note that the path of this URL is `.../{username}/status/{id}`, whereas
the original URL was `.../i/web/status/{id}`.
I've worked out a small patch and method for getting WordPress to use
oEmbed discovery to extract and use the canonical URL.
When using `wp_oembed_add_provider()`, if you leave the provider URL
falsey, then `WP_oEmbed::get_provider()` will use discovery to find it
(assuming that you haven't forced `discovery = false` in `$args`). Then my
patch will pull the `url` arg from there and use that, instead of the
original URL that was passed in to the embed handling.
Later, when the JSON response is being handled, the code will still be
able to see whether this is a whitelisted URL pattern, and bypass/perform
security filtering such as `kses()` (see `wp_filter_oembed_result()`).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/41746>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list