-
Notifications
You must be signed in to change notification settings - Fork 385
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding NY Times embed results in invalid security=restricted invalid attribute error #3426
Comments
Back when I implemented this, the security attribute was only really needed for supporting IE9 IIRC. |
Cool. In any case, |
Every unknown* * Unknown meaning it is coming from an untrusted provider. |
@swissspidy If it doesn't know it is from WordPress (e.g. that the Comparing Embed block vs Custom HTML block containing response from NY Times: Seems to have a much better result: |
|
Perhaps certain styles should be allowed in core? |
Any updates on this one? Streamable oEmbeds contain For example, paste this https://streamable.com/clya3 in WordPress and observe the following return value:
|
@archon810 Thanks for that example. You can suppress the validation error entirely using plugin code like this: add_filter(
'amp_validation_error_sanitized',
function ( $sanitized, $error ) {
if (
isset( $error['code'], $error['node_name'] )
&&
'invalid_attribute' === $error['code']
&&
'security' === $error['node_name']
) {
$sanitized = true;
}
return $sanitized;
},
10,
2
); We'll open a PR to prevent it from being raised in the first place, similar to what was just in #3941 to fix #3939 |
What's the next step for this issue? The Should this be fixed by Core or should the plugin handle this specific case? |
@pierlon You're right. This needs a core fix. I've opened: https://core.trac.wordpress.org/ticket/49173 @swissspidy Thoughts on ☝️? |
Bug Description
When adding a NY Times article to an Embed block a validation error for an invalid
security
attribute is reported.This may be a wider issue with WordPress post embeds (#809), but since the oEmbed response actually doesn't include the
security
attribute:Perhaps WordPress core is overriding the embed as a special case? In the non-AMP version, it is generating:
This results in an entirely broken embed on the frontend, even outside of AMP:
So there are perhaps two issues here:
security
attribute (which I believe is obsolete in favor ofsandbox
).Expected Behaviour
No validation error should occur.
Steps to reproduce
Screenshots
Do not alter or remove anything below. The following sections will be managed by moderators only.
Acceptance criteria
Implementation brief
QA testing instructions
Demo
Changelog entry
The text was updated successfully, but these errors were encountered: