Update videopress shortcode sanitization (#37271)

* sanitize preload setting in video blocks overridden by Jetpack * changelog * reduce size of diff * escape attribute --------- Co-authored-by: John Caruso <[email protected]>
Automattic · May 7, 2024 · 36695a2 · 36695a2
1 parent 04c2977
commit 36695a2
Show file tree

Hide file tree

Showing 7 changed files with 32 additions and 4 deletions.
diff --git a/projects/packages/videopress/changelog/fix-video-shortcode-preloadcontent-sanitize b/projects/packages/videopress/changelog/fix-video-shortcode-preloadcontent-sanitize
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Sanitize the preload value for video shortcodes and blocks
diff --git a/projects/packages/videopress/package.json b/projects/packages/videopress/package.json
@@ -1,7 +1,7 @@
 {
 	"private": true,
 	"name": "@automattic/jetpack-videopress",
-	"version": "0.23.19",
+	"version": "0.23.20-alpha",
 	"description": "VideoPress package",
 	"homepage": "https://github.com/Automattic/jetpack/tree/HEAD/projects/packages/videopress/#readme",
 	"bugs": {

diff --git a/projects/packages/videopress/src/class-block-editor-content.php b/projects/packages/videopress/src/class-block-editor-content.php
@@ -86,10 +86,14 @@ public static function videopress_embed_shortcode( $atts ) {
 			}
 		}
 
-		if ( isset( $atts['preload'] ) ) {
+		if ( isset( $atts['preload'] ) && videopress_is_valid_preload( $atts['preload'] ) ) {
 			$atts['preloadcontent'] = $atts['preload'];
 		}
 
+		if ( isset( $atts['preloadcontent'] ) && ! videopress_is_valid_preload( $atts['preloadcontent'] ) ) {
+			unset( $atts['preloadcontent'] );
+		}
+
 		$atts = shortcode_atts( $defaults, $atts, 'videopress' );
 
 		$base_url     = 'https://videopress.com/embed/' . $guid;

diff --git a/projects/packages/videopress/src/class-package-version.php b/projects/packages/videopress/src/class-package-version.php
@@ -11,7 +11,7 @@
  * The Package_Version class.
  */
 class Package_Version {
-	const PACKAGE_VERSION = '0.23.19';
+	const PACKAGE_VERSION = '0.23.20-alpha';
 
 	const PACKAGE_SLUG = 'videopress';
 

diff --git a/projects/packages/videopress/src/utility-functions.php b/projects/packages/videopress/src/utility-functions.php
@@ -30,6 +30,16 @@ function videopress_is_valid_guid( $guid ) {
 	return false;
 }
 
+/**
+ * Validates user-supplied video preload setting.
+ *
+ * @param mixed $value the preload value to validate.
+ * @return bool
+ */
+function videopress_is_valid_preload( $value ) {
+	return in_array( strtolower( $value ), array( 'auto', 'metadata', 'none' ), true );
+}
+
 /**
  * Get details about a specific video by GUID:
  *

diff --git a/projects/plugins/jetpack/changelog/fix-video-shortcode-preloadcontent-sanitize b/projects/plugins/jetpack/changelog/fix-video-shortcode-preloadcontent-sanitize
@@ -0,0 +1,4 @@
+Significance: patch
+Type: other
+
+Sanitize the preload value for video shortcodes and blocks
diff --git a/projects/plugins/jetpack/modules/videopress/class.videopress-player.php b/projects/plugins/jetpack/modules/videopress/class.videopress-player.php
@@ -329,10 +329,16 @@ private function html5_static() {
 		wp_enqueue_script( 'videopress' );
 		$thumbnail = esc_url( $this->video->poster_frame_uri );
 		$html      = "<video id=\"{$this->video_id}\" width=\"{$this->video->calculated_width}\" height=\"{$this->video->calculated_height}\" poster=\"$thumbnail\" controls=\"true\"";
+
+		$preload = 'metadata';
+		if ( isset( $this->options['preloadContent'] ) && videopress_is_valid_preload( $this->options['preloadContent'] ) ) {
+			$preload = $this->options['preloadContent'];
+		}
+
 		if ( isset( $this->options['autoplay'] ) && $this->options['autoplay'] === true ) {
 			$html .= ' autoplay="true"';
 		} else {
-			$html .= ' preload="' . $this->options['preloadContent'] . '"';
+			$html .= ' preload="' . esc_attr( $preload ) . '"';
 		}
 		if ( isset( $this->video->text_direction ) ) {
 			$html .= ' dir="' . esc_attr( $this->video->text_direction ) . '"';