Make WordPress Core

Opened 5 years ago

Last modified 6 weeks ago

#15694 assigned defect (bug)

Shortcode I/O Intolerant of "]", "<", Quotes, etc.

Reported by: miqrogroove Owned by: miqrogroove
Milestone: 4.3 Priority: high
Severity: normal Version: 3.0.1
Component: Shortcodes Keywords: needs-patch needs-unit-tests
Focuses: javascript Cc:

Description (last modified by miqrogroove)

There are no shortcode input escaping functions available in core even though the Shortcode API is increasingly strict about not allowing special characters inside shortcode attributes.

Common problems for plugin developers include user input containing square braces. This was even a core bug prior to 3.4 where a caption shortcode would be transformed by the Visual Editor from:

[caption id="attachment_3" align="alignnone" width="300" caption="[Test Caption]"]

... to ...

[caption id="attachment_3" align="alignnone" width="300" caption="[Test Caption"]"]

As of 4.2.2, that same shortcode is transformed to:

[caption id="attachment_7" align="alignnone" width="300"]"]

Other common problems include usage of HTML-special characters for quotations or comparison operators that would need to appear in the attribute value.

Attachments (1)

shortcode-prototypes.php (635 bytes) - added by miqrogroove 7 weeks ago.

Download all attachments as: .zip

Change History (16)

comment:1 @nacin5 years ago

  • Milestone changed from Awaiting Review to Future Release

comment:2 @solarissmoke4 years ago

The problem is with the regex in get_shortcode_regex() which assumes that the first ] it comes across is the end of a shortcode tag, and it ignores the rest, thus breaking things.

For now I've added a note in the codex saying that the parser can't handle square brackets in attributes. Can't think of a way to fix this without making the regex a whole lot more complicated.

comment:4 @hidgw3 years ago

  • Cc hidgw added

comment:5 @azaozz3 years ago

The shortcodes work similarly to HTML with [ and ] being the equivalent of < and >. In that terms shortcodes cannot contain square brackets the same way HTML tags cannot contain "less than" and "greater than" chars. If they must be used, they need to be encoded/replaced with entities.

comment:6 @ircbot13 months ago

This ticket was mentioned in IRC in #wordpress-dev by miqrogroove. View the logs.

comment:7 @ircbot13 months ago

This ticket was mentioned in IRC in #wordpress-dev by miqrogroove. View the logs.

comment:8 @miqrogroove8 months ago

  • Keywords needs-patch needs-unit-tests 4.2-early added

We need to fix this soon and add appropriate escape/unescape functions to the API. Consider it at the top of my to do list.

comment:9 @obenland2 months ago

  • Owner set to miqrogroove
  • Status changed from new to assigned

comment:10 @obenland2 months ago

  • Keywords 4.2-early removed
  • Milestone changed from Future Release to 4.3

comment:11 @miqrogroove6 weeks ago

  • Focuses javascript added
  • Keywords changed from needs-patch, needs-unit-tests to needs-patch needs-unit-tests
  • Priority changed from normal to high
  • Summary changed from Caption Shortcode I/O Intolerant of "]" Char to Shortcode I/O Intolerant of "]", "<", Quotes, etc.

comment:12 @miqrogroove6 weeks ago

#29608 was marked as a duplicate.

comment:13 @miqrogroove6 weeks ago

#31471 was marked as a duplicate.

comment:14 @miqrogroove6 weeks ago

Did some research on this today. The original ticket description is obsolete because as of https://codex.wordpress.org/Version_3.4 there are no longer any user inputs in the default shortcode attribute values.

Since this issue does not affect the core shortcodes, this has become purely an API problem for plugin developers.

comment:15 @miqrogroove6 weeks ago

  • Description modified (diff)
Note: See TracTickets for help on using tickets.