From b7e407cce810dbb834213d0069828fd333b46b40 Mon Sep 17 00:00:00 2001
From: nacin <nacin@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Thu, 19 Apr 2012 19:46:34 +0000
Subject: [PATCH] Add sanity checks to WP_oEmbed::data2html() to ensure we are
 working with scalar values. Always use the filter. props mdawaffe, fixes
 #20322.

git-svn-id: http://svn.automattic.com/wordpress/trunk@20539 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/class-oembed.php | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/wp-includes/class-oembed.php b/wp-includes/class-oembed.php
index e5f9989a3..f933fe8ed 100644
--- a/wp-includes/class-oembed.php
+++ b/wp-includes/class-oembed.php
@@ -227,25 +227,31 @@ class WP_oEmbed {
 	 * @return bool|string False on error, otherwise the HTML needed to embed.
 	 */
 	function data2html( $data, $url ) {
-		if ( !is_object($data) || empty($data->type) )
+		if ( ! is_object( $data ) || empty( $data->type ) )
 			return false;
 
+		$return = false;
+
 		switch ( $data->type ) {
 			case 'photo':
-				if ( empty($data->url) || empty($data->width) || empty($data->height) )
-					return false;
+				if ( empty( $data->url ) || empty( $data->width ) || empty( $data->height ) )
+					break;
+				if ( ! is_string( $data->url ) || ! is_numeric( $data->width ) || ! is_numeric( $data->height ) )
+					break;
 
-				$title = ( !empty($data->title) ) ? $data->title : '';
+				$title = ! empty( $data->title ) && is_string( $data->title ) ? $data->title : '';
 				$return = '<a href="' . esc_url( $url ) . '"><img src="' . esc_url( $data->url ) . '" alt="' . esc_attr($title) . '" width="' . esc_attr($data->width) . '" height="' . esc_attr($data->height) . '" /></a>';
 				break;
 
 			case 'video':
 			case 'rich':
-				$return = ( !empty($data->html) ) ? $data->html : false;
+				if ( ! empty( $data->html ) && is_string( $data->html ) )
+					$return = $data->html;
 				break;
 
 			case 'link':
-				$return = ( !empty($data->title) ) ? '<a href="' . esc_url($url) . '">' . esc_html($data->title) . '</a>' : false;
+				if ( ! empty( $data->title ) && is_string( $data->title ) )
+					$return = '<a href="' . esc_url( $url ) . '">' . esc_html( $data->title ) . '</a>';
 				break;
 
 			default: