WordPress.org

Plugin Directory

Changeset 588535


Ignore:
Timestamp:
08/21/12 19:58:14 (20 months ago)
Author:
evansolomon
Message:

Make sure oEmbed auto-discovery doesn't run in comments

If you're running an oEmbed auto-discovery plugin along with this plugin, it creates a security vulnerability. This overrides auto-discovery in comments.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • oembed-in-comments/trunk/oembed-in-comments.php

    r588016 r588535  
    3131     */ 
    3232    function oembed_in_comments() { 
    33         global $wp_embed; 
    34  
    3533        // make_clickable breaks oEmbed regex, make sure we go earlier 
    3634        $clickable = has_filter( 'comment_text', 'make_clickable' ); 
    3735        $priority = ( $clickable ) ? $clickable - 1 : 10; 
    3836 
    39         add_filter( 'comment_text', array( $wp_embed, 'autoembed' ), $priority ); 
     37        add_filter( 'comment_text', array( $this, 'oembed_filter' ), $priority ); 
     38    } 
     39 
     40    /** 
     41     * Wrap WP_Embed::autoembed() and make sure auto-discovery is off 
     42     */ 
     43    function oembed_filter( $comment_text ) { 
     44        global $wp_embed; 
     45 
     46        add_filter( 'embed_oembed_discover', '__return_false', 999 ); 
     47        $comment_text = $wp_embed->autoembed( $comment_text ); 
     48        remove_filter( 'embed_oembed_discover', '__return_false', 999 ); 
     49 
     50        return $comment_text; 
    4051    } 
    4152} 
Note: See TracChangeset for help on using the changeset viewer.