wp_filter_oembed_result

Filters the given oEmbed HTML.

Description

(string) wp_filter_oembed_result( (string) $result, (object) $data, (string) $url ); 

If the $url isn't on the trusted providers list, we need to filter the HTML heavily for security.

Only filters rich and html response types.

Returns (string)

The filtered and sanitized oEmbed result.

Parameters (3)

0. $result (string)
The oEmbed HTML result.
1. $data (object)
A data object result from an oEmbed provider.
2. $url (string)
The URL of the content to be embedded.

Usage

  1. if ( !function_exists( 'wp_filter_oembed_result' ) ) { 
  2. require_once ABSPATH . WPINC . '/embed.php'; 
  3.  
  4. // The oEmbed HTML result. 
  5. $result = ''; 
  6.  
  7. // A data object result from an oEmbed provider. 
  8. $data = null; 
  9.  
  10. // The URL of the content to be embedded. 
  11. $url = ''; 
  12.  
  13. // NOTICE! Understand what this does before running. 
  14. $result = wp_filter_oembed_result($result, $data, $url); 
  15.  

Defined (1)

The function is defined in the following location(s).

/wp-includes/embed.php  
  1. function wp_filter_oembed_result( $result, $data, $url ) { 
  2. if ( false === $result || ! in_array( $data->type, array( 'rich', 'video' ) ) ) { 
  3. return $result; 
  4.  
  5. $wp_oembed = _wp_oembed_get_object(); 
  6.  
  7. // Don't modify the HTML for trusted providers. 
  8. if ( false !== $wp_oembed->get_provider( $url, array( 'discover' => false ) ) ) { 
  9. return $result; 
  10.  
  11. $allowed_html = array( 
  12. 'a' => array( 
  13. 'href' => true,  
  14. ),  
  15. 'blockquote' => array(),  
  16. 'iframe' => array( 
  17. 'src' => true,  
  18. 'width' => true,  
  19. 'height' => true,  
  20. 'frameborder' => true,  
  21. 'marginwidth' => true,  
  22. 'marginheight' => true,  
  23. 'scrolling' => true,  
  24. 'title' => true,  
  25. ),  
  26. ); 
  27.  
  28. $html = wp_kses( $result, $allowed_html ); 
  29.  
  30. preg_match( '|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content ); 
  31. // We require at least the iframe to exist. 
  32. if ( empty( $content[2] ) ) { 
  33. return false; 
  34. $html = $content[1] . $content[2]; 
  35.  
  36. if ( ! empty( $content[1] ) ) { 
  37. // We have a blockquote to fall back on. Hide the iframe by default. 
  38. $html = str_replace( '<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html ); 
  39. $html = str_replace( '<blockquote', '<blockquote class="wp-embedded-content"', $html ); 
  40.  
  41. $html = str_replace( '<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html ); 
  42.  
  43. preg_match( '/ src=[\'"]([^\'"]*)[\'"]/', $html, $results ); 
  44.  
  45. if ( ! empty( $results ) ) { 
  46. $secret = wp_generate_password( 10, false ); 
  47.  
  48. $url = esc_url( "{$results[1]}#?secret=$secret" ); 
  49.  
  50. $html = str_replace( $results[0], " src=\"$url\" data-secret=\"$secret\"", $html ); 
  51. $html = str_replace( '<blockquote', "<blockquote data-secret=\"$secret\"", $html ); 
  52.  
  53. return $html;