Ticket #34090: 34090.3.diff

src/wp-includes/shortcodes.php

@@ -88 +88 @@
  */
 function add_shortcode($tag, $func) {
         global $shortcode_tags;
+
+        if ( '' == trim( $tag ) ) {
+                $message = __( 'Invalid shortcode name.  Empty name given.' );
+                _doing_it_wrong( __FUNCTION__, $message, '4.4.0' );
+                return;
+        }
+
+        if ( 0 !== preg_match( '@[<>&/\[\]\x00-\x20]@', $tag ) ) {
+                $message = sprintf( __( 'Invalid shortcode name: %s  Do not use spaces or reserved chars: & / < > [ ]' ), $tag );
+                _doing_it_wrong( __FUNCTION__, $message, '4.4.0' );
+                return;
+        }
+
         $shortcode_tags[ $tag ] = $func;
 }
 

tests/phpunit/tests/shortcode.php

@@ -539 +539 @@
                 $this->assertTrue( has_shortcode( $content_nested, 'gallery' ) );
                 remove_shortcode( 'foo' );
         }
+
+        /**
+         * Make sure invalid shortcode names are not allowed.
+         *
+         * @dataProvider data_registration_bad
+         * @expectedIncorrectUsage add_shortcode
+         */
+        function test_registration_bad( $input, $expected ) {
+                return $this->sub_registration( $input, $expected );
+        }
+        
+        /**
+         * Make sure valid shortcode names are allowed.
+         *
+         * @dataProvider data_registration_good
+         */
+        function test_registration_good( $input, $expected ) {
+                return $this->sub_registration( $input, $expected );
+        }
+        
+        function sub_registration( $input, $expected ) {
+                add_shortcode( $input, '' );
+                $actual = shortcode_exists( $input );
+                $test = $this->assertEquals( $expected, $actual );
+                if ( $actual ) remove_shortcode( $input );
+                return $test;
+        }
+        
+        function data_registration_bad() {
+                return array(
+                        array(
+                                '<html>',
+                                false,
+                        ),
+                        array(
+                                '[shortcode]',
+                                false,
+                        ),
+                        array(
+                                'bad/',
+                                false,
+                        ),
+                        array(
+                                '/bad',
+                                false,
+                        ),
+                        array(
+                                'bad space',
+                                false,
+                        ),
+                        array(
+                                '&amp;',
+                                false,
+                        ),
+                        array(
+                                '',
+                                false,
+                        ),
+                );
+        }
+
+        function data_registration_good() {
+                return array(
+                        array(
+                                'good!',
+                                true,
+                        ),
+                        array(
+                                'plain',
+                                true,
+                        ),
+                        array(
+                                'unreserved!#$%()*+,-.;?@^_{|}~chars',
+                                true,
+                        ),
+                );
+        }
 }