In Media, there is an ‘Allowed providers’ setting for Remote video where a site builder can determine which oEmbed providers are allowed. Because of the nature of oEmbed, this is security setting. There are two instances where this security setting is not enforced:
When a user is referencing existing media, the allowed providers setting is not checked.
When rendering existing media, the allowed providers settings is not checked.
As a result, oEmbed media that is not allowed 1) can still be added to content and 2) is still rendered.
The expected behavior is as follows:
When a user is referencing existing media, the allowed providers setting is checked. Only allowed oEmbed media can be referenced.
When rendering existing media, the allowed providers setting is checked. Only allowed oEmbed media is rendered.
Think about how allowed elements are handled with text formats. If an element exists but isn't allowed, then it isn't rendered. If an element is not allowed, a user cannot add the element with CKEditor either. The same analogous behavior should be applied for oEmbed providers, too.
- Chris Burge
- marcoscano
- larowlan
- effulgentsia
- catch
Active
10.1 ✨
Last updated
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.