diff --git a/src/js/_enqueues/wp/embed.js b/src/js/_enqueues/wp/embed.js index fa2934f379..58ae034f49 100644 --- a/src/js/_enqueues/wp/embed.js +++ b/src/js/_enqueues/wp/embed.js @@ -49,6 +49,7 @@ var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ), blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ), + allowedProtocols = new RegExp( '^https?:$', 'i' ), i, source, height, sourceURL, targetURL; for ( i = 0; i < blockquotes.length; i++ ) { @@ -84,6 +85,11 @@ sourceURL.href = source.getAttribute( 'src' ); targetURL.href = data.value; + /* Only follow link if the protocol is in the allow list. */ + if ( ! allowedProtocols.test( targetURL.protocol ) ) { + continue; + } + /* Only continue if link hostname matches iframe's hostname. */ if ( targetURL.host === sourceURL.host ) { if ( document.activeElement === source ) {