This is a code I have in a function.php action. It is responsible for getting and displaying an embed code. Typically there is a youtube link from $embed_link but it comes from a public form so it can contain anything:
$embed_link = get_post_meta( $post_id, 'user_content_link_to_remote_video' );
$embed_code = wp_oembed_get( $embed_link[0] );
if ($embed_code):
echo $embed_code;
endif;
Is there a risk of malicious code in there? Is this code safe? If not, how to make it safer?
This is a code I have in a function.php action. It is responsible for getting and displaying an embed code. Typically there is a youtube link from $embed_link but it comes from a public form so it can contain anything:
$embed_link = get_post_meta( $post_id, 'user_content_link_to_remote_video' );
$embed_code = wp_oembed_get( $embed_link[0] );
if ($embed_code):
echo $embed_code;
endif;
Is there a risk of malicious code in there? Is this code safe? If not, how to make it safer?
Share Improve this question asked Apr 13, 2020 at 15:32 Robert BraxRobert Brax 1353 bronze badges1 Answer
Reset to default 0wp_ombed_get() will only process URLs from whitelisted oEmbed providers. The list of supported providers is available here. This means the only code that can be output is embed code from those providers. These are the same providers that WordPress supports for URLs in content, or the embed block in the block editor, so you be reasonably assured that they are safe, as WordPress considers them safe enough for authors and contributors to use.