WordPress.org

Make WordPress Core

Changeset 28773


Ignore:
Timestamp:
06/18/2014 07:48:46 PM (6 years ago)
Author:
wonderboymusic
Message:

In wptexturize() + tests:

  • Allow well-formed HTML inside of shortcode attributes
  • Restrict recursion. HTML is allowed but ignored.
  • Do not allow exotic HTML comments in shortcode attributes.
  • Continue to ignore the [ and ] chars if they appear in any HTML attribute.
  • Update related regex patterns.
  • Update unit tests.

Props miqrogroove.
Fixes #28564.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/formatting.php

    r28765 r28773  
    204204        .   '\['        // Find start of shortcode.
    205205        .   '\[?'       // Shortcodes may begin with [[
    206         .   '[^\[\]<>]+'    // Shortcodes do not contain other shortcodes or HTML elements.
     206        .   '(?:'
     207        .       '[^\[\]<>]' // Shortcodes do not contain other shortcodes.
     208        .   '|'
     209        .       '<.+?>' // HTML elements permitted. Prevents matching ] before >.
     210        .   ')+'
    207211        .   '\]'        // Find end of shortcode.
    208212        .   '\]?'       // Shortcodes may end with ]]
     
    221225            }
    222226
    223         } elseif ( '[' === $first && 1 === preg_match( '/^\[[^\[\]<>]+\]$/', $curl ) ) {
     227        } elseif ( '[' === $first && 1 === preg_match( '/^\[(?:[^\[\]<>]|<.+?>)+\]$/', $curl ) ) {
    224228            // This is a shortcode delimeter.
    225229
    226230            _wptexturize_pushpop_element( $curl, $no_texturize_shortcodes_stack, $no_texturize_shortcodes, '[', ']' );
    227231
    228         } elseif ( '[' === $first && 1 === preg_match( '/^\[\[?[^\[\]<>]+\]\]?$/', $curl ) ) {
     232        } elseif ( '[' === $first && 1 === preg_match( '/^\[\[?(?:[^\[\]<>]|<.+?>)+\]\]?$/', $curl ) ) {
    229233            // This is an escaped shortcode delimeter.
    230234
  • trunk/tests/phpunit/tests/formatting/WPTexturize.php

    r28765 r28773  
    11471147        return array(
    11481148            array(
     1149                '[ is it wise to <a title="allow user content ] here? hmm"> maybe </a> ]',
     1150                '[ is it wise to <a title="allow user content ] here? hmm"> maybe </a> ]',
     1151            ),
     1152            array(
    11491153                '[ photos by <a href="http://example.com/?a[]=1&a[]=2"> this guy </a> ]',
    11501154                '[ photos by <a href="http://example.com/?a[]=1&#038;a[]=2"> this guy </a> ]',
     
    11951199            ),
    11961200            array(
     1201                '[gallery <br ... /> ...]', // This tag is still valid. Shortcode 'attributes' are not considered in the initial parsing of shortcodes, and HTML is allowed.
    11971202                '[gallery <br ... /> ...]',
    1198                 '[gallery <br ... /> &#8230;]',
    11991203            ),
    12001204            array(
     
    12351239            ),
    12361240            array(
     1241                '[[gallery <br ... /> ...]]', // This gets parsed as an escaped shortcode with embedded HTML.  Brains may explode.
    12371242                '[[gallery <br ... /> ...]]',
    1238                 '[[gallery <br ... /> &#8230;]]',
    12391243            ),
    12401244            array(
Note: See TracChangeset for help on using the changeset viewer.