Changeset 34745

Timestamp:

10/01/2015 05:33:58 PM (9 years ago)

Author:

wonderboymusic

Message:

Shortcodes: prevent registration of invalid shortcode names.

Adds unit tests.

Props miqrogroove.
Fixes #34090.

Location:

trunk

Files:

• src/wp-includes/shortcodes.php (modified) (1 diff)
• tests/phpunit/tests/shortcode.php (modified) (1 diff)

trunk/src/wp-includes/shortcodes.php

@@ -89 +89 @@
 function add_shortcode($tag, $func) {
     global $shortcode_tags;
+
+    if ( '' == trim( $tag ) ) {
+        $message = __( 'Invalid shortcode name.  Empty name given.' );
+        _doing_it_wrong( __FUNCTION__, $message, '4.4.0' );
+        return;
+    }
+
+    if ( 0 !== preg_match( '@[<>&/\[\]\x00-\x20]@', $tag ) ) {
+        $message = sprintf( __( 'Invalid shortcode name: %s  Do not use spaces or reserved chars: & / < > [ ]' ), $tag );
+        _doing_it_wrong( __FUNCTION__, $message, '4.4.0' );
+        return;
+    }
+
     $shortcode_tags[ $tag ] = $func;
 }

trunk/tests/phpunit/tests/shortcode.php

@@ -540 +540 @@
         remove_shortcode( 'foo' );
     }
+
+    /**
+     * Make sure invalid shortcode names are not allowed.
+     *
+     * @dataProvider data_registration_bad
+     * @expectedIncorrectUsage add_shortcode
+     */
+    function test_registration_bad( $input, $expected ) {
+        return $this->sub_registration( $input, $expected );
+    }
+    
+    /**
+     * Make sure valid shortcode names are allowed.
+     *
+     * @dataProvider data_registration_good
+     */
+    function test_registration_good( $input, $expected ) {
+        return $this->sub_registration( $input, $expected );
+    }
+    
+    function sub_registration( $input, $expected ) {
+        add_shortcode( $input, '' );
+        $actual = shortcode_exists( $input );
+        $test = $this->assertEquals( $expected, $actual );
+        if ( $actual ) remove_shortcode( $input );
+        return $test;
+    }
+    
+    function data_registration_bad() {
+        return array(
+            array(
+                '<html>',
+                false,
+            ),
+            array(
+                '[shortcode]',
+                false,
+            ),
+            array(
+                'bad/',
+                false,
+            ),
+            array(
+                '/bad',
+                false,
+            ),
+            array(
+                'bad space',
+                false,
+            ),
+            array(
+                '&amp;',
+                false,
+            ),
+            array(
+                '',
+                false,
+            ),
+        );
+    }
+
+    function data_registration_good() {
+        return array(
+            array(
+                'good!',
+                true,
+            ),
+            array(
+                'plain',
+                true,
+            ),
+            array(
+                'unreserved!#$%()*+,-.;?@^_{|}~chars',
+                true,
+            ),
+        );
+    }
 }