Embeds: Add protocol validation for WordPress Embed code.

Validate that links within auto-discovered embeds are using the `http` or `https` protocols before following links.

Props xknown, dd32, peterwilsoncc.



git-svn-id: https://develop.svn.wordpress.org/trunk@55763 602fd350-edb4-49c9-b593-d223f7449a82

src/js/_enqueues/wp/embed.js

@@ -49,6 +49,7 @@
 
 		var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
 			blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
+			allowedProtocols = new RegExp( '^https?:$', 'i' ),
 			i, source, height, sourceURL, targetURL;
 
 		for ( i = 0; i < blockquotes.length; i++ ) {
@@ -84,6 +85,11 @@
 				sourceURL.href = source.getAttribute( 'src' );
 				targetURL.href = data.value;
 
+				/* Only follow link if the protocol is in the allow list. */
+				if ( ! allowedProtocols.test( targetURL.protocol ) ) {
+					continue;
+				}
+
 				/* Only continue if link hostname matches iframe's hostname. */
 				if ( targetURL.host === sourceURL.host ) {
 					if ( document.activeElement === source ) {