Index: src/wp-admin/import.php
===================================================================
--- src/wp-admin/import.php (revision 29789)
+++ src/wp-admin/import.php (working copy)
@@ -79,6 +79,7 @@
$data) {
$action = '';
@@ -115,6 +116,7 @@
| {$data[1]} |
";
}
+ enable_shortcodes();
?>
Index: src/wp-admin/includes/plugin.php
===================================================================
--- src/wp-admin/includes/plugin.php (revision 29789)
+++ src/wp-admin/includes/plugin.php (working copy)
@@ -165,7 +165,9 @@
if ( $plugin_data['AuthorURI'] && $plugin_data['Author'] )
$plugin_data['Author'] = '' . $plugin_data['Author'] . '';
+ disable_shortcodes();
$plugin_data['Description'] = wptexturize( $plugin_data['Description'] );
+ enable_shortcodes();
if ( $plugin_data['Author'] )
$plugin_data['Description'] .= ' ' . sprintf( __('By %s.'), $plugin_data['Author'] ) . '';
Index: src/wp-admin/menu-header.php
===================================================================
--- src/wp-admin/menu-header.php (revision 29789)
+++ src/wp-admin/menu-header.php (working copy)
@@ -46,6 +46,8 @@
function _wp_menu_output( $menu, $submenu, $submenu_as_parent = true ) {
global $self, $parent_file, $submenu_file, $plugin_page, $typenow;
+ disable_shortcodes();
+
$first = true;
// 0 = menu_title, 1 = capability, 2 = menu_slug, 3 = page_title, 4 = classes, 5 = hookname, 6 = icon_url
foreach ( $menu as $key => $item ) {
@@ -204,6 +206,8 @@
echo '';
+
+ enable_shortcodes();
}
?>
Index: src/wp-includes/class-wp-theme.php
===================================================================
--- src/wp-includes/class-wp-theme.php (revision 29789)
+++ src/wp-includes/class-wp-theme.php (working copy)
@@ -658,7 +658,9 @@
$value = $this->get_stylesheet();
break;
case 'Description' :
+ disable_shortcodes();
$value = wptexturize( $value );
+ enable_shortcodes();
break;
case 'Author' :
if ( $this->get('AuthorURI') ) {
Index: src/wp-includes/comment-template.php
===================================================================
--- src/wp-includes/comment-template.php (revision 29789)
+++ src/wp-includes/comment-template.php (working copy)
@@ -963,6 +963,8 @@
if ( isset( $_SERVER['HTTP_USER_AGENT'] ) && false !== stripos( $_SERVER['HTTP_USER_AGENT'], 'W3C_Validator' ) ) {
return;
}
+
+ disable_shortcodes();
echo '\n";
echo '';
+
+ enable_shortcodes();
}
/**
Index: src/wp-includes/default-filters.php
===================================================================
--- src/wp-includes/default-filters.php (revision 29789)
+++ src/wp-includes/default-filters.php (working copy)
@@ -92,9 +92,11 @@
// Format strings for display.
foreach ( array( 'comment_author', 'term_name', 'link_name', 'link_description', 'link_notes', 'bloginfo', 'wp_title', 'widget_title' ) as $filter ) {
- add_filter( $filter, 'wptexturize' );
- add_filter( $filter, 'convert_chars' );
- add_filter( $filter, 'esc_html' );
+ add_filter( $filter, 'restrict_shortcodes', 8 );
+ add_filter( $filter, 'wptexturize' );
+ add_filter( $filter, 'convert_chars' );
+ add_filter( $filter, 'esc_html' );
+ add_filter( $filter, 'enable_shortcodes', 12 );
}
// Format WordPress
@@ -104,16 +106,20 @@
// Format titles
foreach ( array( 'single_post_title', 'single_cat_title', 'single_tag_title', 'single_month_title', 'nav_menu_attr_title', 'nav_menu_description' ) as $filter ) {
- add_filter( $filter, 'wptexturize' );
- add_filter( $filter, 'strip_tags' );
+ add_filter( $filter, 'restrict_shortcodes', 8 );
+ add_filter( $filter, 'wptexturize' );
+ add_filter( $filter, 'strip_tags' );
+ add_filter( $filter, 'enable_shortcodes', 12 );
}
// Format text area for display.
foreach ( array( 'term_description' ) as $filter ) {
- add_filter( $filter, 'wptexturize' );
- add_filter( $filter, 'convert_chars' );
- add_filter( $filter, 'wpautop' );
- add_filter( $filter, 'shortcode_unautop');
+ add_filter( $filter, 'restrict_shortcodes', 8 );
+ add_filter( $filter, 'wptexturize' );
+ add_filter( $filter, 'convert_chars' );
+ add_filter( $filter, 'wpautop' );
+ add_filter( $filter, 'shortcode_unautop' );
+ add_filter( $filter, 'enable_shortcodes', 12 );
}
// Format for RSS
@@ -124,9 +130,11 @@
add_filter( 'wp_update_term_parent', 'wp_check_term_hierarchy_for_loops', 10, 3 );
// Display filters
-add_filter( 'the_title', 'wptexturize' );
-add_filter( 'the_title', 'convert_chars' );
-add_filter( 'the_title', 'trim' );
+add_filter( 'the_title', 'restrict_shortcodes', 8 );
+add_filter( 'the_title', 'wptexturize' );
+add_filter( 'the_title', 'convert_chars' );
+add_filter( 'the_title', 'trim' );
+add_filter( 'the_title', 'enable_shortcodes', 12 );
add_filter( 'the_content', 'wptexturize' );
add_filter( 'the_content', 'convert_smilies' );
@@ -135,16 +143,21 @@
add_filter( 'the_content', 'shortcode_unautop' );
add_filter( 'the_content', 'prepend_attachment' );
-add_filter( 'the_excerpt', 'wptexturize' );
-add_filter( 'the_excerpt', 'convert_smilies' );
-add_filter( 'the_excerpt', 'convert_chars' );
-add_filter( 'the_excerpt', 'wpautop' );
-add_filter( 'the_excerpt', 'shortcode_unautop');
+add_filter( 'the_excerpt', 'restrict_shortcodes', 8 );
+add_filter( 'the_excerpt', 'wptexturize' );
+add_filter( 'the_excerpt', 'convert_smilies' );
+add_filter( 'the_excerpt', 'convert_chars' );
+add_filter( 'the_excerpt', 'wpautop' );
+add_filter( 'the_excerpt', 'shortcode_unautop' );
+add_filter( 'the_excerpt', 'enable_shortcodes', 12 );
+
add_filter( 'get_the_excerpt', 'wp_trim_excerpt' );
+add_filter( 'comment_text', 'restrict_shortcodes', 8 );
add_filter( 'comment_text', 'wptexturize' );
add_filter( 'comment_text', 'convert_chars' );
add_filter( 'comment_text', 'make_clickable', 9 );
+add_filter( 'comment_text', 'enable_shortcodes', 12 );
add_filter( 'comment_text', 'force_balance_tags', 25 );
add_filter( 'comment_text', 'convert_smilies', 20 );
add_filter( 'comment_text', 'wpautop', 30 );
@@ -151,7 +164,9 @@
add_filter( 'comment_excerpt', 'convert_chars' );
-add_filter( 'list_cats', 'wptexturize' );
+add_filter( 'list_cats', 'restrict_shortcodes', 8 );
+add_filter( 'list_cats', 'wptexturize' );
+add_filter( 'list_cats', 'enable_shortcodes', 12 );
add_filter( 'wp_sprintf', 'wp_sprintf_l', 10, 2 );
Index: src/wp-includes/formatting.php
===================================================================
--- src/wp-includes/formatting.php (revision 29789)
+++ src/wp-includes/formatting.php (working copy)
@@ -28,7 +28,7 @@
* @return string The string replaced with html entities
*/
function wptexturize($text, $reset = false) {
- global $wp_cockneyreplace;
+ global $wp_cockneyreplace, $shortcode_enabled;
static $static_characters, $static_replacements, $dynamic_characters, $dynamic_replacements,
$default_no_texturize_tags, $default_no_texturize_shortcodes, $run_texturize = true;
@@ -203,36 +203,52 @@
$no_texturize_tags_stack = array();
$no_texturize_shortcodes_stack = array();
+ $find_shortcodes = false;
+ $html = '';
+
+ if ( 'false' !== $shortcode_enabled ) {
+ if ( 'restricted' === $shortcode_enabled ) {
+ // Shortcodes in this $text are not allowed to contain raw HTML.
+ $html = '<>';
+ }
+ $pos = strpos( $text, '[' );
+ if ( false !== $pos && false !== strpos( $text, ']', $pos ) ) {
+ $find_shortcodes = true;
+ }
+ }
+
// Look for shortcodes and HTML elements.
$comment_regex =
- '!' // Start of comment, after the <.
- . '(?:' // Unroll the loop: Consume everything until --> is found.
- . '-(?!->)' // Dash not followed by end of comment.
- . '[^\-]*+' // Consume non-dashes.
- . ')*+' // Loop possessively.
- . '(?:-->)?'; // End of comment. If not found, match all input.
-
+ '!' // Start of comment, after the <.
+ . '(?:' // Unroll the loop: Consume everything until --> is found.
+ . '-(?!->)' // Dash not followed by end of comment.
+ . '[^\-]*+' // Consume non-dashes.
+ . ')*+' // Loop possessively.
+ . '(?:-->)?'; // End of comment. If not found, match all input.
+
+ $html_regex =
+ '<' // Find start of element.
+ . '(?(?=!--)' // Is this a comment?
+ . $comment_regex // Find end of comment.
+ . '|'
+ . '[^>]+>' // Find end of element.
+ . ')';
+
$shortcode_regex =
- '\[' // Find start of shortcode.
- . '[\/\[]?' // Shortcodes may begin with [/ or [[
- . '[^\s\/\[\]]' // No whitespace before name.
- . '[^\[\]]*+' // Shortcodes do not contain other shortcodes. Possessive critical.
- . '\]' // Find end of shortcode.
- . '\]?'; // Shortcodes may end with ]]
-
- $regex =
- '/(' // Capture the entire match.
- . '<' // Find start of element.
- . '(?(?=!--)' // Is this a comment?
- . $comment_regex // Find end of comment.
- . '|'
- . '[^>]+>' // Find end of element.
- . ')'
- . '|'
- . $shortcode_regex // Find shortcodes.
- . ')/s';
+ '\[' // Find start of shortcode.
+ . '[\/\[]?' // Shortcodes may begin with [/ or [[
+ . '[^\s\/\[\]]' // No whitespace before name.
+ . "[^\[\]$html]*+" // Shortcodes do not contain other shortcodes. Possessive critical.
+ . '\]' // Find end of shortcode.
+ . '\]?'; // Shortcodes may end with ]]
+ if ( $find_shortcodes ) {
+ $regex = "/($html_regex|$shortcode_regex)/s";
+ } else {
+ $regex = "/($html_regex)/s";
+ }
+
$textarr = preg_split( $regex, $text, -1, PREG_SPLIT_DELIM_CAPTURE | PREG_SPLIT_NO_EMPTY );
foreach ( $textarr as &$curl ) {
@@ -253,7 +269,7 @@
continue;
- } elseif ( '[' === $first && 1 === preg_match( '/^' . $shortcode_regex . '$/', $curl ) ) {
+ } elseif ( $find_shortcodes && '[' === $first && 1 === preg_match( '/^' . $shortcode_regex . '$/', $curl ) ) {
// This is a shortcode delimiter.
if ( '[[' !== substr( $curl, 0, 2 ) && ']]' !== substr( $curl, -2 ) ) {
@@ -482,9 +498,9 @@
* @return string The filtered content.
*/
function shortcode_unautop( $pee ) {
- global $shortcode_tags;
+ global $shortcode_tags, $shortcode_enabled;
- if ( empty( $shortcode_tags ) || !is_array( $shortcode_tags ) ) {
+ if ( 'false' === $shortcode_enabled || empty( $shortcode_tags ) || !is_array( $shortcode_tags ) ) {
return $pee;
}
@@ -491,6 +507,12 @@
$tagregexp = join( '|', array_map( 'preg_quote', array_keys( $shortcode_tags ) ) );
$spaces = wp_spaces_regexp();
+ if ( 'restricted' === $shortcode_enabled ) {
+ $html = '<>';
+ } else {
+ $html = '';
+ }
+
$pattern =
'/'
. '' // Opening paragraph
@@ -500,10 +522,10 @@
. "($tagregexp)" // 2: Shortcode name
. '(?![\\w-])' // Not followed by word character or hyphen
// Unroll the loop: Inside the opening shortcode tag
- . '[^\\]\\/]*' // Not a closing bracket or forward slash
+ . "[^\\]\\/$html]*" // Not a closing bracket or forward slash
. '(?:'
. '\\/(?!\\])' // A forward slash not followed by a closing bracket
- . '[^\\]\\/]*' // Not a closing bracket or forward slash
+ . "[^\\]\\/$html]*" // Not a closing bracket or forward slash
. ')*?'
. '(?:'
. '\\/\\]' // Self closing tag and closing bracket
Index: src/wp-includes/general-template.php
===================================================================
--- src/wp-includes/general-template.php (revision 29789)
+++ src/wp-includes/general-template.php (working copy)
@@ -1129,7 +1129,9 @@
* @return string HTML link content for archive.
*/
function get_archives_link($url, $text, $format = 'html', $before = '', $after = '') {
+ disable_shortcodes();
$text = wptexturize($text);
+ enable_shortcodes();
$url = esc_url($url);
if ('link' == $format)
Index: src/wp-includes/media.php
===================================================================
--- src/wp-includes/media.php (revision 29789)
+++ src/wp-includes/media.php (working copy)
@@ -1072,10 +1072,12 @@
$image_output
";
if ( $captiontag && trim($attachment->post_excerpt) ) {
+ disable_shortcodes();
$output .= "
<{$captiontag} class='wp-caption-text gallery-caption'>
" . wptexturize($attachment->post_excerpt) . "
";
+ enable_shortcodes();
}
$output .= "";
if ( ! $html5 && $columns > 0 && ++$i % $columns == 0 ) {
Index: src/wp-includes/shortcodes.php
===================================================================
--- src/wp-includes/shortcodes.php (revision 29789)
+++ src/wp-includes/shortcodes.php (working copy)
@@ -44,6 +44,22 @@
$shortcode_tags = array();
/**
+ * The status of the Shortcode API, which may need to be known in related functions.
+ *
+ * Values:
+ * 'true' - Full shortcode support.
+ * 'restricted' - Shortcodes that contain special characters will be ignored.
+ * 'false' - All shortcode features are disabled.
+ *
+ * @since 4.1.0
+ *
+ * @name $shortcode_enabled
+ * @var string
+ * @global string $shortcode_enabled
+ */
+$shortcode_enabled = 'true';
+
+/**
* Add hook for shortcode tag.
*
* There can only be one hook for each shortcode. Which means that if another
@@ -191,9 +207,9 @@
* @return string Content with shortcodes filtered out.
*/
function do_shortcode($content) {
- global $shortcode_tags;
+ global $shortcode_tags, $shortcode_enabled;
- if ( false === strpos( $content, '[' ) ) {
+ if ( 'false' === $shortcode_enabled || false === strpos( $content, '[' ) ) {
return $content;
}
@@ -226,9 +242,15 @@
* @return string The shortcode search regular expression
*/
function get_shortcode_regex() {
- global $shortcode_tags;
+ global $shortcode_tags, $shortcode_enabled;
$tagnames = array_keys($shortcode_tags);
$tagregexp = join( '|', array_map('preg_quote', $tagnames) );
+
+ if ( 'restricted' === $shortcode_enabled ) {
+ $html = '<>';
+ } else {
+ $html = '';
+ }
// WARNING! Do not change this regex without changing do_shortcode_tag() and strip_shortcode_tag()
// Also, see shortcode_unautop() and shortcode.js.
@@ -238,10 +260,10 @@
. "($tagregexp)" // 2: Shortcode name
. '(?![\\w-])' // Not followed by word character or hyphen
. '(' // 3: Unroll the loop: Inside the opening shortcode tag
- . '[^\\]\\/]*' // Not a closing bracket or forward slash
+ . "[^\\]\\/$html]*" // Not a closing bracket or forward slash
. '(?:'
. '\\/(?!\\])' // A forward slash not followed by a closing bracket
- . '[^\\]\\/]*' // Not a closing bracket or forward slash
+ . "[^\\]\\/$html]*" // Not a closing bracket or forward slash
. ')*?'
. ')'
. '(?:'
@@ -384,9 +406,9 @@
* @return string Content without shortcode tags.
*/
function strip_shortcodes( $content ) {
- global $shortcode_tags;
+ global $shortcode_tags, $shortcode_enabled;
- if ( false === strpos( $content, '[' ) ) {
+ if ( 'false' === $shortcode_enabled || false === strpos( $content, '[' ) ) {
return $content;
}
@@ -407,4 +429,46 @@
return $m[1] . $m[6];
}
+/**
+ * Enable the Shortcode API
+ *
+ * @since 4.1.0
+ *
+ * @param string $filter_arg Allows this function to get hooked to a filter.
+ * @return string The first param will be returned.
+ */
+function enable_shortcodes( $filter_arg = '' ) {
+ global $shortcode_enabled;
+ $shortcode_enabled = 'true';
+ return $filter_arg;
+}
+
+/**
+ * Restrict the Shortcode API from parsing shortcodes that contain HTML.
+ *
+ * @since 4.1.0
+ *
+ * @param string $filter_arg Allows this function to get hooked to a filter.
+ * @return string The first param will be returned.
+ */
+function restrict_shortcodes( $filter_arg = '' ) {
+ global $shortcode_enabled;
+ $shortcode_enabled = 'restricted';
+ return $filter_arg;
+}
+
+/**
+ * Disable the Shortcode API
+ *
+ * @since 4.1.0
+ *
+ * @param string $filter_arg Allows this function to get hooked to a filter.
+ * @return string The first param will be returned.
+ */
+function disable_shortcodes( $filter_arg = '' ) {
+ global $shortcode_enabled;
+ $shortcode_enabled = 'false';
+ return $filter_arg;
+}
+
add_filter('the_content', 'do_shortcode', 11); // AFTER wpautop()