diff -r 7b1b88e27a20 -r 48c4eec2b7e6 wp/wp-includes/js/wp-embed.js --- a/wp/wp-includes/js/wp-embed.js Thu Sep 29 08:06:27 2022 +0200 +++ b/wp/wp-includes/js/wp-embed.js Fri Sep 05 18:40:08 2025 +0200 @@ -4,25 +4,23 @@ * @since 4.4.0 * @output wp-includes/js/wp-embed.js * - * This file cannot have ampersands in it. This is to ensure - * it can be embedded in older versions of WordPress. - * See https://core.trac.wordpress.org/changeset/35708. + * Single line comments should not be used since they will break + * the script when inlined in get_post_embed_html(), specifically + * when the comments are not stripped out due to SCRIPT_DEBUG + * being turned on. */ (function ( window, document ) { 'use strict'; - var supportedBrowser = false, - loaded = false; - - if ( document.querySelector ) { - if ( window.addEventListener ) { - supportedBrowser = true; - } - } + /* Abort for ancient browsers. */ + if ( ! document.querySelector || ! window.addEventListener || typeof URL === 'undefined' ) { + return; + } /** @namespace wp */ window.wp = window.wp || {}; + /* Abort if script was already executed. */ if ( !! window.wp.receiveEmbedMessage ) { return; } @@ -35,20 +33,17 @@ window.wp.receiveEmbedMessage = function( e ) { var data = e.data; - if ( ! data ) { - return; - } - - if ( ! ( data.secret || data.message || data.value ) ) { - return; - } - - if ( /[^a-zA-Z0-9]/.test( data.secret ) ) { + /* Verify shape of message. */ + if ( + ! ( data || data.secret || data.message || data.value ) || + /[^a-zA-Z0-9]/.test( data.secret ) + ) { return; } var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ), blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ), + allowedProtocols = new RegExp( '^https?:$', 'i' ), i, source, height, sourceURL, targetURL; for ( i = 0; i < blockquotes.length; i++ ) { @@ -64,8 +59,8 @@ source.removeAttribute( 'style' ); - /* Resize the iframe on request. */ if ( 'height' === data.message ) { + /* Resize the iframe on request. */ height = parseInt( data.value, 10 ); if ( height > 1000 ) { height = 1000; @@ -74,37 +69,25 @@ } source.height = height; - } - - /* Link to a specific URL on request. */ - if ( 'link' === data.message ) { - sourceURL = document.createElement( 'a' ); - targetURL = document.createElement( 'a' ); + } else if ( 'link' === data.message ) { + /* Link to a specific URL on request. */ + sourceURL = new URL( source.getAttribute( 'src' ) ); + targetURL = new URL( data.value ); - sourceURL.href = source.getAttribute( 'src' ); - targetURL.href = data.value; - - /* Only continue if link hostname matches iframe's hostname. */ - if ( targetURL.host === sourceURL.host ) { - if ( document.activeElement === source ) { - window.top.location.href = data.value; - } + if ( + allowedProtocols.test( targetURL.protocol ) && + targetURL.host === sourceURL.host && + document.activeElement === source + ) { + window.top.location.href = data.value; } } } }; function onLoad() { - if ( loaded ) { - return; - } - - loaded = true; - - var isIE10 = -1 !== navigator.appVersion.indexOf( 'MSIE 10' ), - isIE11 = !!navigator.userAgent.match( /Trident.*rv:11\./ ), - iframes = document.querySelectorAll( 'iframe.wp-embedded-content' ), - iframeClone, i, source, secret; + var iframes = document.querySelectorAll( 'iframe.wp-embedded-content' ), + i, source, secret; for ( i = 0; i < iframes.length; i++ ) { /** @var {IframeElement} */ @@ -113,18 +96,11 @@ secret = source.getAttribute( 'data-secret' ); if ( ! secret ) { /* Add secret to iframe */ - secret = Math.random().toString( 36 ).substr( 2, 10 ); + secret = Math.random().toString( 36 ).substring( 2, 12 ); source.src += '#?secret=' + secret; source.setAttribute( 'data-secret', secret ); } - /* Remove security attribute from iframes in IE10 and IE11. */ - if ( ( isIE10 || isIE11 ) ) { - iframeClone = source.cloneNode( true ); - iframeClone.removeAttribute( 'security' ); - source.parentNode.replaceChild( iframeClone, source ); - } - /* * Let post embed window know that the parent is ready for receiving the height message, in case the iframe * loaded before wp-embed.js was loaded. When the ready message is received by the post embed window, the @@ -137,9 +113,6 @@ } } - if ( supportedBrowser ) { - window.addEventListener( 'message', window.wp.receiveEmbedMessage, false ); - document.addEventListener( 'DOMContentLoaded', onLoad, false ); - window.addEventListener( 'load', onLoad, false ); - } + window.addEventListener( 'message', window.wp.receiveEmbedMessage, false ); + document.addEventListener( 'DOMContentLoaded', onLoad, false ); })( window, document );