- πΊπΈUnited States justcaldwell Austin, Texas
I'm a bit concerned that the focus on video in the issue summary doesn't make it clear that the problem is broader. Based our our recent experience, it appears any oEmbed-based Media entity will accept ANY valid oEmbed resource URL when the entity is created via the Media Library oEmbed form. This includes oEmbed providers that have not been enabled/allowed for the site.
Our site has two oEmbed-based Media entities. The "standard" Remote Video (YouTube/Vimeo), and a Remote Audio entity that allows SoundCloud and Spotify providers via the oEmbed Providers β module. I recently noticed that a user was somehow able to create a Remote Audio entity using a Vimeo video URL.
When I attempted to replicate via the Remote Audio media add form, I got the expected "Vimeo provider is not allowed." That led me to Media Library (embeds), where I was able to create a Remote Audio entity using a video provider URL with no validation errors.
So I tried creating a Remote Video entity using a SoundCloud URL β yep, that works in Media Library, too.
Then I started experimenting with various providers from the oEmbed providers list. ISSUU, SlideShare, TikTok β they all worked using either the Remote Audio or Remote Video entity. None of those providers are enabled for any entity on our site.
- πΊπΈUnited States justcaldwell Austin, Texas
I just reproduced the basic behavior described in #63 on a fresh install of Drupal 10.2.6., specifically:
- Enable Media and Media Library
- Add a 'Remote Video' Media entity (Media source set to 'Remote video', YouTube and Vimeo providers enabled).
- Add Media Library embeds to the Basic HTML text format
- Create a Basic Page node and use the Media Library to create embeds from any oEmbed source.
On the upside, a patch based on MR 459 still applies to 10.2.6 (with a fair amount of fuzz) and seems to introduce validation of allowed providers.