wp_filter_oembed_result() WordPress Function

The wp_filter_oembed_result() function allows you to filter the results of an oEmbed request. This can be useful for modifying the output of an oEmbed request, or for adding extra information to the output.

wp_filter_oembed_result( string $result, object $data, string $url ) #

Filters the given oEmbed HTML.

Contents

Description

If the $url isn’t on the trusted providers list, we need to filter the HTML heavily for security.

Only filters ‘rich’ and ‘video’ response types.

Top ↑

Parameters

$result

(string)(Required)The oEmbed HTML result.

$data

(object)(Required)A data object result from an oEmbed provider.

$url

(string)(Required)The URL of the content to be embedded.

Top ↑

Return

(string) The filtered and sanitized oEmbed result.

Top ↑

Source

File: wp-includes/embed.php

function wp_filter_oembed_result( $result, $data, $url ) {
	if ( false === $result || ! in_array( $data->type, array( 'rich', 'video' ), true ) ) {
		return $result;
	}

	$wp_oembed = _wp_oembed_get_object();

	// Don't modify the HTML for trusted providers.
	if ( false !== $wp_oembed->get_provider( $url, array( 'discover' => false ) ) ) {
		return $result;
	}

	$allowed_html = array(
		'a'          => array(
			'href' => true,
		),
		'blockquote' => array(),
		'iframe'     => array(
			'src'          => true,
			'width'        => true,
			'height'       => true,
			'frameborder'  => true,
			'marginwidth'  => true,
			'marginheight' => true,
			'scrolling'    => true,
			'title'        => true,
		),
	);

	$html = wp_kses( $result, $allowed_html );

	preg_match( '|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content );
	// We require at least the iframe to exist.
	if ( empty( $content[2] ) ) {
		return false;
	}
	$html = $content[1] . $content[2];

	preg_match( '/ src=([\'"])(.*?)\1/', $html, $results );

	if ( ! empty( $results ) ) {
		$secret = wp_generate_password( 10, false );

		$url = esc_url( "{$results[2]}#?secret=$secret" );
		$q   = $results[1];

		$html = str_replace( $results[0], ' src=' . $q . $url . $q . ' data-secret=' . $q . $secret . $q, $html );
		$html = str_replace( '<blockquote', "<blockquote data-secret=\"$secret\"", $html );
	}

	$allowed_html['blockquote']['data-secret'] = true;
	$allowed_html['iframe']['data-secret']     = true;

	$html = wp_kses( $html, $allowed_html );

	if ( ! empty( $content[1] ) ) {
		// We have a blockquote to fall back on. Hide the iframe by default.
		$html = str_replace( '<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html );
		$html = str_replace( '<blockquote', '<blockquote class="wp-embedded-content"', $html );
	}

	$html = str_ireplace( '<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html );

	return $html;
}

Expand full source codeCollapse full source codeView on TracView on GitHub

Top ↑

Top ↑

Uses

Uses
UsesDescription
wp-includes/class-wp-oembed.php:WP_oEmbed::get_provider()

Takes a URL and returns the corresponding oEmbed provider’s URL, if there is one.

wp-includes/formatting.php:esc_url()

Checks and cleans a URL.

wp-includes/pluggable.php:wp_generate_password()

Generates a random password drawn from the defined set of characters.

wp-includes/kses.php:wp_kses()

Filters text content and strips out disallowed HTML.

wp-includes/embed.php:_wp_oembed_get_object()

Returns the initialized WP_oEmbed object.

Top ↑

Changelog

Changelog
VersionDescription
4.4.0Introduced.
Download the latest version of WordPress from https://wordpress.org/

The content displayed on this page has been created in part by processing WordPress source code files which are made available under the GPLv2 (or a later version) license by theĀ Free Software Foundation. In addition to this, the content includes user-written examples and information. All material is subject to review and curation by the WPPaste.com community.

Show More