fix: Validate oEmbed provider data in constructor with _doing_it_wrong() alert

Sukhendu2002 · Sukhendu2002 · commit 1684c574635c · 2026-04-21T12:28:25.000+05:30
diff --git a/src/wp-includes/class-wp-oembed.php b/src/wp-includes/class-wp-oembed.php
@@ -221,10 +221,28 @@ public function __construct() {
 		 *
 		 * @since 2.9.0
 		 *
-		 * @param array[] $providers An array of arrays containing data about popular oEmbed providers.
+		 * @param array<string, array{ 0: string, 1?: bool }> $providers An associative array mapping URL patterns to
+		 *                                                                provider data. Each value must be an array
+		 *                                                                with a provider endpoint URL string at index 0
+		 *                                                                and an optional boolean regex flag at index 1.
 		 */
 		$this->providers = apply_filters( 'oembed_providers', $providers );
 
+		foreach ( $this->providers as $matchmask => $data ) {
+			if ( ! is_array( $data ) || ! isset( $data[0] ) || ! is_string( $data[0] ) ) {
+				_doing_it_wrong(
+					'oembed_providers',
+					sprintf(
+						/* translators: %s: The oEmbed provider URL pattern. */
+						__( 'The oEmbed provider data for %s is malformed. Each provider must be an array with a provider endpoint URL string at index 0 and an optional boolean regex flag at index 1.' ),
+						'<code>' . esc_html( (string) $matchmask ) . '</code>'
+					),
+					'7.1.0'
+				);
+				unset( $this->providers[ $matchmask ] );
+			}
+		}
+
 		// Fix any embeds that contain new lines in the middle of the HTML which breaks wpautop().
 		add_filter( 'oembed_dataparse', array( $this, '_strip_newlines' ), 10, 3 );
 	}
@@ -273,9 +291,6 @@ public function get_provider( $url, $args = '' ) {
 		}
 
 		foreach ( $this->providers as $matchmask => $data ) {
-			if ( ! is_array( $data ) || ! isset( $data[0] ) ) {
-				continue;
-			}
 			$providerurl = $data[0];
 			$regex       = $data[1] ?? false;
 
diff --git a/tests/phpunit/tests/oembed/wpOembed.php b/tests/phpunit/tests/oembed/wpOembed.php
@@ -280,31 +280,23 @@ public function test_wp_filter_pre_oembed_result_multisite_restores_state_if_no_
 	/**
 	 * @ticket 65068
 	 *
-	 * @covers ::get_provider
+	 * @covers WP_oEmbed::__construct
 	 */
-	public function test_get_provider_skips_malformed_provider_entries() {
-		$warnings = array();
-
-		$error_handler = function ( $errno, $errstr ) use ( &$warnings ) {
-			if ( E_WARNING === $errno ) {
-				$warnings[] = $errstr;
-			}
-			return false;
+	public function test_malformed_provider_triggers_doing_it_wrong_and_is_removed() {
+		$filter = static function ( $providers ) {
+			$providers['bad_provider'] = array(
+				'url'      => '#https?://example\.site/.*#i',
+				'endpoint' => 'https://example.site/api/oembed',
+			);
+			return $providers;
 		};
 
-		set_error_handler( $error_handler );
-
-		$this->oembed->providers['bad_provider'] = array(
-			'url'      => '#https?://example\.site/.*#i',
-			'endpoint' => 'https://example.site/api/oembed',
-		);
-
-		$result = $this->oembed->get_provider( 'https://en.wikipedia.org/wiki/Rickrolling' );
-
-		restore_error_handler();
+		add_filter( 'oembed_providers', $filter );
+		$this->setExpectedIncorrectUsage( 'oembed_providers' );
+		$oembed = new WP_oEmbed();
+		remove_filter( 'oembed_providers', $filter );
 
-		$this->assertFalse( $result );
-		$this->assertSame( array(), $warnings, 'PHP warnings were raised: ' . implode( ', ', $warnings ) );
+		$this->assertArrayNotHasKey( 'bad_provider', $oembed->providers );
 	}
 
 	/**
@@ -313,25 +305,11 @@ public function test_get_provider_skips_malformed_provider_entries() {
 	 * @covers ::get_provider
 	 */
 	public function test_get_provider_handles_provider_without_regex_flag() {
-		$warnings = array();
-
-		$error_handler = function ( $errno, $errstr ) use ( &$warnings ) {
-			if ( E_WARNING === $errno ) {
-				$warnings[] = $errstr;
-			}
-			return false;
-		};
-
-		set_error_handler( $error_handler );
-
 		// Provider with only index 0 set (no regex flag) — should default $regex to false.
 		$this->oembed->providers['https://example.site/*'] = array( 'https://example.site/api/oembed' );
 
 		$result = $this->oembed->get_provider( 'https://example.site/video/123' );
 
-		restore_error_handler();
-
 		$this->assertSame( 'https://example.site/api/oembed', $result );
-		$this->assertSame( array(), $warnings, 'PHP warnings were raised: ' . implode( ', ', $warnings ) );
 	}
 }
