From 1824468e8fbdcf30eeb71fe9be5c56c20f42be94 Mon Sep 17 00:00:00 2001
From: Gary Pendergast <pento@git.wordpress.org>
Date: Mon, 16 Nov 2015 00:22:16 +0000
Subject: [PATCH] Embeds: Add the `allow_insecure_embeds` filter.

This allows a site to disable non-SSL embeds.

Fixes #34588.



git-svn-id: https://develop.svn.wordpress.org/trunk@35640 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/class-wp-embed.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/wp-includes/class-wp-embed.php b/src/wp-includes/class-wp-embed.php
index 730fc4fc91..5e25e01892 100644
--- a/src/wp-includes/class-wp-embed.php
+++ b/src/wp-includes/class-wp-embed.php
@@ -143,6 +143,18 @@ class WP_Embed {
 			return '';
 		}
 
+		/**
+		 * Optionally allow or block non-SSL embeds.
+		 *
+		 * @since 4.4.0
+		 *
+		 * @param bool   $allowed Flag to determine if non-SSL embeds should be allowed. Default true.
+		 * @param string $url     The URL being embedded.
+		 */
+		if ( 0 !== strpos( $url, 'https://' ) && ! apply_filters( 'allow_insecure_embeds', true, $url ) ) {
+			return false;
+		}
+
 		$rawattr = $attr;
 		$attr = wp_parse_args( $attr, wp_embed_defaults( $url ) );