Shortcode I/O Intolerant of "]", "<", Quotes, etc.
|Reported by:||miqrogroove||Owned by:||miqrogroove|
Description (last modified by miqrogroove)
There are no shortcode input escaping functions available in core even though the Shortcode API is increasingly strict about not allowing special characters inside shortcode attributes.
Common problems for plugin developers include user input containing square braces. This was even a core bug prior to 3.4 where a caption shortcode would be transformed by the Visual Editor from:
[caption id="attachment_3" align="alignnone" width="300" caption="[Test Caption]"]
... to ...
[caption id="attachment_3" align="alignnone" width="300" caption="[Test Caption"]"]
As of 4.2.2, that same shortcode is transformed to:
[caption id="attachment_7" align="alignnone" width="300"]"]
Other common problems include usage of HTML-special characters for quotations or comparison operators that would need to appear in the attribute value.
Change History (54)
17 months ago
- Keywords changed from needs-patch, needs-unit-tests to needs-patch needs-unit-tests
- Priority changed from normal to high
- Summary changed from Caption Shortcode I/O Intolerant of "]" Char to Shortcode I/O Intolerant of "]", "<", Quotes, etc.
- Keywords 2nd-opinion added
- Severity changed from normal to blocker
- Keywords 2nd-opinion removed
- Priority changed from high to normal
- Severity changed from blocker to normal
in reply to:
15 months ago
14 months ago
- Keywords close added; needs-patch needs-unit-tests removed
- Milestone changed from Future Release to Awaiting Review
- Severity changed from major to normal
14 months ago
- Milestone Awaiting Review deleted
- Resolution set to maybelater
- Status changed from assigned to closed