From 0ab1df42437d72d0f98a5b6149b87249965c8be0 Mon Sep 17 00:00:00 2001
From: Andrew Nacin <nacin@git.wordpress.org>
Date: Wed, 3 Sep 2014 00:39:05 +0000
Subject: [PATCH] Ensure oEmbed previews listen to [embed] width/height
 attributes.

props azaozz.
fixes #29474.


git-svn-id: https://develop.svn.wordpress.org/trunk@29681 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/includes/ajax-actions.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php
index f1ba77f5d7..ff2db70f9c 100644
--- a/src/wp-admin/includes/ajax-actions.php
+++ b/src/wp-admin/includes/ajax-actions.php
@@ -2638,7 +2638,7 @@ function wp_ajax_query_themes() {
 function wp_ajax_parse_embed() {
 	global $post, $wp_embed;
 
-	if ( ! $post = get_post( (int) $_REQUEST['post_ID'] ) ) {
+	if ( ! $post = get_post( (int) $_POST['post_ID'] ) ) {
 		wp_send_json_error();
 	}
 
@@ -2646,17 +2646,17 @@ function wp_ajax_parse_embed() {
 		wp_send_json_error();
 	}
 
-	$shortcode = $_POST['shortcode'];
+	$shortcode = wp_unslash( $_POST['shortcode'] );
 	$url = str_replace( '[embed]', '', str_replace( '[/embed]', '', $shortcode ) );
 	$parsed = false;
 	setup_postdata( $post );
 
 	$wp_embed->return_false_on_fail = true;
 
-	if ( is_ssl() && preg_match( '%^\\[embed\\]http://%i', $shortcode ) ) {
+	if ( is_ssl() && preg_match( '%^\\[embed[^\\]]*\\]http://%i', $shortcode ) ) {
 		// Admin is ssl and the user pasted non-ssl URL.
 		// Check if the provider supports ssl embeds and use that for the preview.
-		$ssl_shortcode = preg_replace( '%^\\[embed\\]http://%i', '[embed]https://', $shortcode );
+		$ssl_shortcode = preg_replace( '%^(\\[embed[^\\]]*\\])http://%i', '$1https://', $shortcode );
 		$parsed = $wp_embed->run_shortcode( $ssl_shortcode );
 
 		if ( ! $parsed ) {
@@ -2713,7 +2713,7 @@ function wp_ajax_parse_embed() {
 function wp_ajax_parse_media_shortcode() {
 	global $post, $wp_scripts;
 
-	if ( ! $post = get_post( (int) $_REQUEST['post_ID'] ) ) {
+	if ( ! $post = get_post( (int) $_POST['post_ID'] ) ) {
 		wp_send_json_error();
 	}
 
@@ -2722,7 +2722,7 @@ function wp_ajax_parse_media_shortcode() {
 	}
 
 	setup_postdata( $post );
-	$shortcode = do_shortcode( wp_unslash( $_REQUEST['shortcode'] ) );
+	$shortcode = do_shortcode( wp_unslash( $_POST['shortcode'] ) );
 
 	if ( empty( $shortcode ) ) {
 		wp_send_json_error( array(