Automattic\WooCommerce\EmailEditor\Integrations\Core\Renderer\Blocks
Embed::url_matches_provider
Validate that a URL's host matches the expected provider's domains. This prevents SSRF when provider is set via user-controlled attributes.
Method of the class: Embed{}
No Hooks.
Returns
true|false. True if URL host matches provider domains.
Usage
// private - for code of main (parent) class only $result = $this->url_matches_provider( $url, $provider ): bool;
- $url(string) (required)
- URL to validate.
- $provider(string) (required)
- Provider name.
Embed::url_matches_provider() Embed::url matches provider code WC 10.7.0
private function url_matches_provider( string $url, string $provider ): bool {
if ( ! $this->is_valid_url( $url ) ) {
return false;
}
$parsed_url = wp_parse_url( $url );
if ( ! isset( $parsed_url['host'] ) ) {
return false;
}
$url_host = strtolower( $parsed_url['host'] );
// Get allowed domains for this provider.
$all_providers = $this->get_all_provider_configs();
$allowed_domains = $all_providers[ $provider ]['domains'] ?? array();
foreach ( $allowed_domains as $allowed_domain ) {
$allowed_domain = strtolower( $allowed_domain );
if ( $url_host === $allowed_domain || str_ends_with( $url_host, '.' . $allowed_domain ) ) {
return true;
}
}
return false;
}