From a6f0f3ea2917b4db686fbed5b300e806e3d7bea5 Mon Sep 17 00:00:00 2001
From: Jb Audras <audrasjb@git.wordpress.org>
Date: Tue, 16 May 2023 14:23:10 +0000
Subject: [PATCH] Embeds: Add protocol validation for WordPress Embed code.

Validate that links within auto-discovered embeds are using the `http` or `https` protocols before following links.

Props xknown, dd32, peterwilsoncc.



git-svn-id: https://develop.svn.wordpress.org/trunk@55763 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/js/_enqueues/wp/embed.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/js/_enqueues/wp/embed.js b/src/js/_enqueues/wp/embed.js
index fa2934f379..58ae034f49 100644
--- a/src/js/_enqueues/wp/embed.js
+++ b/src/js/_enqueues/wp/embed.js
@@ -49,6 +49,7 @@
 
 		var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
 			blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
+			allowedProtocols = new RegExp( '^https?:$', 'i' ),
 			i, source, height, sourceURL, targetURL;
 
 		for ( i = 0; i < blockquotes.length; i++ ) {
@@ -84,6 +85,11 @@
 				sourceURL.href = source.getAttribute( 'src' );
 				targetURL.href = data.value;
 
+				/* Only follow link if the protocol is in the allow list. */
+				if ( ! allowedProtocols.test( targetURL.protocol ) ) {
+					continue;
+				}
+
 				/* Only continue if link hostname matches iframe's hostname. */
 				if ( targetURL.host === sourceURL.host ) {
 					if ( document.activeElement === source ) {