Security when outputing wp_oembed_get code
https://wordpress.stackexchange.com/questions/364020
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianВопрос
This is a code I have in a function.php action. It is responsible for getting and displaying an embed code. Typically there is a youtube link from $embed_link but it comes from a public form so it can contain anything:
$embed_link = get_post_meta( $post_id, 'user_content_link_to_remote_video' );
$embed_code = wp_oembed_get( $embed_link[0] );
if ($embed_code):
echo $embed_code;
endif;
Is there a risk of malicious code in there? Is this code safe? If not, how to make it safer?
Решение
wp_ombed_get() will only process URLs from whitelisted oEmbed providers. The list of supported providers is available here. This means the only code that can be output is embed code from those providers. These are the same providers that WordPress supports for URLs in content, or the embed block in the block editor, so you be reasonably assured that they are safe, as WordPress considers them safe enough for authors and contributors to use.
