diff options
Diffstat (limited to 'plugins/jetpack/modules/shortcodes/twitchtv.php')
| -rw-r--r-- | plugins/jetpack/modules/shortcodes/twitchtv.php | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/plugins/jetpack/modules/shortcodes/twitchtv.php b/plugins/jetpack/modules/shortcodes/twitchtv.php index 935a8b3a..4f349fb0 100644 --- a/plugins/jetpack/modules/shortcodes/twitchtv.php +++ b/plugins/jetpack/modules/shortcodes/twitchtv.php @@ -6,7 +6,7 @@ * [twitchtv url='https://www.twitch.tv/paperbat' height='378' width='620' autoplay='false'] * [twitchtv url='https://www.twitch.tv/paperbat/b/323486192' height='378' width='620' autoplay='false'] * - * @package Jetpack + * @package automattic/jetpack */ /** @@ -47,8 +47,8 @@ function wpcom_twitchtv_shortcode( $atts ) { 'time' => $attr['time'], ); - $width = intval( $attr['width'] ); - $height = intval( $attr['height'] ); + $width = (int) $attr['width']; + $height = (int) $attr['height']; $user_id = $match[1]; $video_id = 0; @@ -64,10 +64,16 @@ function wpcom_twitchtv_shortcode( $atts ) { $url_args['channel'] = $user_id; } + // See https://discuss.dev.twitch.tv/t/twitch-embedded-player-updates-in-2020/23956. + // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized + $url_args['parent'] = isset( $_SERVER['HTTP_HOST'] ) + ? rawurlencode( wp_unslash( $_SERVER['HTTP_HOST'] ) ) // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized + : ''; + $url = add_query_arg( $url_args, 'https://player.twitch.tv/' ); return sprintf( - '<iframe src="%s" width="%d" height="%d" frameborder="0" scrolling="no" allowfullscreen></iframe>', + '<iframe src="%s" width="%d" height="%d" frameborder="0" scrolling="no" allowfullscreen sandbox="allow-popups allow-scripts allow-same-origin allow-presentation"></iframe>', esc_url( $url ), esc_attr( $width ), esc_attr( $height ) |