Shortcode I/O Intolerant of "]", "<", Quotes, etc.
|Reported by:||miqrogroove||Owned by:||miqrogroove|
Description (last modified by miqrogroove)
There are no shortcode input escaping functions available in core even though the Shortcode API is increasingly strict about not allowing special characters inside shortcode attributes.
Common problems for plugin developers include user input containing square braces. This was even a core bug prior to 3.4 where a caption shortcode would be transformed by the Visual Editor from:
[caption id="attachment_3" align="alignnone" width="300" caption="[Test Caption]"]
... to ...
[caption id="attachment_3" align="alignnone" width="300" caption="[Test Caption"]"]
As of 4.2.2, that same shortcode is transformed to:
[caption id="attachment_7" align="alignnone" width="300"]"]
Other common problems include usage of HTML-special characters for quotations or comparison operators that would need to appear in the attribute value.
Change History (47)
comment:10 @obenland — 3 months ago
- Keywords 4.2-early removed
- Milestone changed from Future Release to 4.3
comment:11 @miqrogroove — 2 months ago
- Keywords changed from needs-patch, needs-unit-tests to needs-patch needs-unit-tests
- Priority changed from normal to high
- Summary changed from Caption Shortcode I/O Intolerant of "]" Char to Shortcode I/O Intolerant of "]", "<", Quotes, etc.
comment:34 @thatguy334233 — 12 days ago
- Keywords 2nd-opinion added
- Severity changed from normal to blocker
comment:37 @pento — 12 days ago
- Keywords 2nd-opinion removed
- Priority changed from high to normal
- Severity changed from blocker to normal