wp_filter_oembed_result

The timeline below displays how wordpress function wp_filter_oembed_result has changed across different WordPress versions. If a version is not listed, refer to the next available version below.

WordPress Version: 5.5

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'video' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'), true)) {
        return $result;
    }
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    preg_match('/ src=([\'"])(.*?)\1/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[2]}#?secret={$secret}");
        $q = $results[1];
        $html = str_replace($results[0], ' src=' . $q . $url . $q . ' data-secret=' . $q . $secret . $q, $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    $allowed_html['blockquote']['data-secret'] = true;
    $allowed_html['iframe']['data-secret'] = true;
    $html = wp_kses($html, $allowed_html);
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_ireplace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    return $html;
}

WordPress Version: 5.2

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'video' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    preg_match('/ src=([\'"])(.*?)\1/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[2]}#?secret={$secret}");
        $q = $results[1];
        $html = str_replace($results[0], ' src=' . $q . $url . $q . ' data-secret=' . $q . $secret . $q, $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    $allowed_html['blockquote']['data-secret'] = true;
    $allowed_html['iframe']['data-secret'] = true;
    $html = wp_kses($html, $allowed_html);
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_ireplace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    return $html;
}

WordPress Version: .10

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    preg_match('/ src=([\'"])(.*?)\1/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[2]}#?secret={$secret}");
        $q = $results[1];
        $html = str_replace($results[0], ' src=' . $q . $url . $q . ' data-secret=' . $q . $secret . $q, $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    $allowed_html['blockquote']['data-secret'] = true;
    $allowed_html['iframe']['data-secret'] = true;
    $html = wp_kses($html, $allowed_html);
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_ireplace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    return $html;
}

WordPress Version: 4.7

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_replace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    preg_match('/ src=[\'"]([^\'"]*)[\'"]/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[1]}#?secret={$secret}");
        $html = str_replace($results[0], " src=\"{$url}\" data-secret=\"{$secret}\"", $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    return $html;
}

WordPress Version: 6.7

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    require_once ABSPATH . WPINC . '/class-oembed.php';
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    preg_match('/ src=([\'"])(.*?)\1/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[2]}#?secret={$secret}");
        $q = $results[1];
        $html = str_replace($results[0], ' src=' . $q . $url . $q . ' data-secret=' . $q . $secret . $q, $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    $allowed_html['blockquote']['data-secret'] = true;
    $allowed_html['iframe']['data-secret'] = true;
    $html = wp_kses($html, $allowed_html);
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_ireplace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    return $html;
}

WordPress Version: 6.3

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    require_once ABSPATH . WPINC . '/class-oembed.php';
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_replace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    preg_match('/ src=[\'"]([^\'"]*)[\'"]/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[1]}#?secret={$secret}");
        $html = str_replace($results[0], " src=\"{$url}\" data-secret=\"{$secret}\"", $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    return $html;
}

WordPress Version: .20

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    require_once ABSPATH . WPINC . '/class-oembed.php';
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    preg_match('/ src=([\'"])(.*?)\1/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[2]}#?secret={$secret}");
        $q = $results[1];
        $html = str_replace($results[0], ' src=' . $q . $url . $q . ' data-secret=' . $q . $secret . $q, $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    $allowed_html['blockquote']['data-secret'] = true;
    $allowed_html['iframe']['data-secret'] = true;
    $html = wp_kses($html, $allowed_html);
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_ireplace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    return $html;
}

WordPress Version: 6.2

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    require_once ABSPATH . WPINC . '/class-oembed.php';
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_replace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    preg_match('/ src=[\'"]([^\'"]*)[\'"]/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[1]}#?secret={$secret}");
        $html = str_replace($results[0], " src=\"{$url}\" data-secret=\"{$secret}\"", $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    return $html;
}

WordPress Version: .10

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    require_once ABSPATH . WPINC . '/class-oembed.php';
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    preg_match('/ src=([\'"])(.*?)\1/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[2]}#?secret={$secret}");
        $q = $results[1];
        $html = str_replace($results[0], ' src=' . $q . $url . $q . ' data-secret=' . $q . $secret . $q, $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    $allowed_html['blockquote']['data-secret'] = true;
    $allowed_html['iframe']['data-secret'] = true;
    $html = wp_kses($html, $allowed_html);
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_ireplace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    return $html;
}

WordPress Version: 5.4

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    require_once ABSPATH . WPINC . '/class-oembed.php';
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_replace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    preg_match('/ src=[\'"]([^\'"]*)[\'"]/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[1]}#?secret={$secret}");
        $html = str_replace($results[0], " src=\"{$url}\" data-secret=\"{$secret}\"", $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    return $html;
}

WordPress Version: .30

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    require_once ABSPATH . WPINC . '/class-oembed.php';
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    preg_match('/ src=([\'"])(.*?)\1/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[2]}#?secret={$secret}");
        $q = $results[1];
        $html = str_replace($results[0], ' src=' . $q . $url . $q . ' data-secret=' . $q . $secret . $q, $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    $allowed_html['blockquote']['data-secret'] = true;
    $allowed_html['iframe']['data-secret'] = true;
    $html = wp_kses($html, $allowed_html);
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_ireplace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    return $html;
}

WordPress Version: 5.3

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    require_once ABSPATH . WPINC . '/class-oembed.php';
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_replace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    preg_match('/ src=[\'"]([^\'"]*)[\'"]/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[1]}#?secret={$secret}");
        $html = str_replace($results[0], " src=\"{$url}\" data-secret=\"{$secret}\"", $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    return $html;
}

WordPress Version: .20

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    require_once ABSPATH . WPINC . '/class-oembed.php';
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    preg_match('/ src=([\'"])(.*?)\1/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[2]}#?secret={$secret}");
        $q = $results[1];
        $html = str_replace($results[0], ' src=' . $q . $url . $q . ' data-secret=' . $q . $secret . $q, $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    $allowed_html['blockquote']['data-secret'] = true;
    $allowed_html['iframe']['data-secret'] = true;
    $html = wp_kses($html, $allowed_html);
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_ireplace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    return $html;
}

WordPress Version: 5.2

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    require_once ABSPATH . WPINC . '/class-oembed.php';
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_replace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    preg_match('/ src=[\'"]([^\'"]*)[\'"]/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[1]}#?secret={$secret}");
        $html = str_replace($results[0], " src=\"{$url}\" data-secret=\"{$secret}\"", $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    return $html;
}

WordPress Version: .10

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    require_once ABSPATH . WPINC . '/class-oembed.php';
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    preg_match('/ src=([\'"])(.*?)\1/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[2]}#?secret={$secret}");
        $q = $results[1];
        $html = str_replace($results[0], ' src=' . $q . $url . $q . ' data-secret=' . $q . $secret . $q, $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    $allowed_html['blockquote']['data-secret'] = true;
    $allowed_html['iframe']['data-secret'] = true;
    $html = wp_kses($html, $allowed_html);
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_ireplace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    return $html;
}

WordPress Version: 4.4

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    require_once ABSPATH . WPINC . '/class-oembed.php';
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_replace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    preg_match('/ src=[\'"]([^\'"]*)[\'"]/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[1]}#?secret={$secret}");
        $html = str_replace($results[0], " src=\"{$url}\" data-secret=\"{$secret}\"", $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    return $html;
}

WordPress Version: .30

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    require_once ABSPATH . WPINC . '/class-oembed.php';
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    preg_match('/ src=([\'"])(.*?)\1/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[2]}#?secret={$secret}");
        $q = $results[1];
        $html = str_replace($results[0], ' src=' . $q . $url . $q . ' data-secret=' . $q . $secret . $q, $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    $allowed_html['blockquote']['data-secret'] = true;
    $allowed_html['iframe']['data-secret'] = true;
    $html = wp_kses($html, $allowed_html);
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_ireplace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    return $html;
}

WordPress Version: 4.3

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    require_once ABSPATH . WPINC . '/class-oembed.php';
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_replace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    preg_match('/ src=[\'"]([^\'"]*)[\'"]/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[1]}#?secret={$secret}");
        $html = str_replace($results[0], " src=\"{$url}\" data-secret=\"{$secret}\"", $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    return $html;
}

WordPress Version: .20

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    require_once ABSPATH . WPINC . '/class-oembed.php';
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    preg_match('/ src=([\'"])(.*?)\1/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[2]}#?secret={$secret}");
        $q = $results[1];
        $html = str_replace($results[0], ' src=' . $q . $url . $q . ' data-secret=' . $q . $secret . $q, $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    $allowed_html['blockquote']['data-secret'] = true;
    $allowed_html['iframe']['data-secret'] = true;
    $html = wp_kses($html, $allowed_html);
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_ireplace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    return $html;
}

WordPress Version: 4.2

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    require_once ABSPATH . WPINC . '/class-oembed.php';
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="display:none;"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_replace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    preg_match('/ src=[\'"]([^\'"]*)[\'"]/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[1]}#?secret={$secret}");
        $html = str_replace($results[0], " src=\"{$url}\" data-secret=\"{$secret}\"", $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    return $html;
}

WordPress Version: .11

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    require_once ABSPATH . WPINC . '/class-oembed.php';
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    preg_match('/ src=([\'"])(.*?)\1/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[2]}#?secret={$secret}");
        $q = $results[1];
        $html = str_replace($results[0], ' src=' . $q . $url . $q . ' data-secret=' . $q . $secret . $q, $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    $allowed_html['blockquote']['data-secret'] = true;
    $allowed_html['iframe']['data-secret'] = true;
    $html = wp_kses($html, $allowed_html);
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_ireplace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    return $html;
}

WordPress Version: .10

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    require_once ABSPATH . WPINC . '/class-oembed.php';
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="position: absolute; clip: rect(1px, 1px, 1px, 1px);"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_replace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    preg_match('/ src=[\'"]([^\'"]*)[\'"]/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[1]}#?secret={$secret}");
        $html = str_replace($results[0], " src=\"{$url}\" data-secret=\"{$secret}\"", $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    return $html;
}

WordPress Version: 4.4

/**
 * Filters the given oEmbed HTML.
 *
 * If the `$url` isn't on the trusted providers list,
 * we need to filter the HTML heavily for security.
 *
 * Only filters 'rich' and 'html' response types.
 *
 * @since 4.4.0
 *
 * @param string $result The oEmbed HTML result.
 * @param object $data   A data object result from an oEmbed provider.
 * @param string $url    The URL of the content to be embedded.
 * @return string The filtered and sanitized oEmbed result.
 */
function wp_filter_oembed_result($result, $data, $url)
{
    if (false === $result || !in_array($data->type, array('rich', 'video'))) {
        return $result;
    }
    require_once ABSPATH . WPINC . '/class-oembed.php';
    $wp_oembed = _wp_oembed_get_object();
    // Don't modify the HTML for trusted providers.
    if (false !== $wp_oembed->get_provider($url, array('discover' => false))) {
        return $result;
    }
    $allowed_html = array('a' => array('href' => true), 'blockquote' => array(), 'iframe' => array('src' => true, 'width' => true, 'height' => true, 'frameborder' => true, 'marginwidth' => true, 'marginheight' => true, 'scrolling' => true, 'title' => true));
    $html = wp_kses($result, $allowed_html);
    preg_match('|(<blockquote>.*?</blockquote>)?.*(<iframe.*?></iframe>)|ms', $html, $content);
    // We require at least the iframe to exist.
    if (empty($content[2])) {
        return false;
    }
    $html = $content[1] . $content[2];
    if (!empty($content[1])) {
        // We have a blockquote to fall back on. Hide the iframe by default.
        $html = str_replace('<iframe', '<iframe style="display:none;"', $html);
        $html = str_replace('<blockquote', '<blockquote class="wp-embedded-content"', $html);
    }
    $html = str_replace('<iframe', '<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"', $html);
    preg_match('/ src=[\'"]([^\'"]*)[\'"]/', $html, $results);
    if (!empty($results)) {
        $secret = wp_generate_password(10, false);
        $url = esc_url("{$results[1]}#?secret={$secret}");
        $html = str_replace($results[0], " src=\"{$url}\" data-secret=\"{$secret}\"", $html);
        $html = str_replace('<blockquote', "<blockquote data-secret=\"{$secret}\"", $html);
    }
    return $html;
}