Make WordPress Core

Changes between Initial Version and Version 15 of Ticket #15694

05/23/2015 10:12:36 PM (9 years ago)


  • Ticket #15694

    • Property Status changed from new to assigned
    • Property Focuses javascript added
    • Property Cc hidgw added
    • Property Summary changed from Caption Shortcode I/O Intolerant of "]" Char to Shortcode I/O Intolerant of "]", "<", Quotes, etc.
    • Property Priority changed from normal to high
    • Property Owner set to miqrogroove
    • Property Milestone changed from Awaiting Review to 4.3
    • Property Keywords needs-patch needs-unit-tests added
  • Ticket #15694 – Description

    initial v15  
    1 I've discovered that the "]" character can only be used in the media library itself.  If I try to insert an image into a post using a caption like "[Test Caption]" then the post editor inserts three double quotes into the HTML attribute, invalidating the page markup.  D:
     1There are no shortcode input escaping functions available in core even though the Shortcode API is increasingly strict about not allowing special characters inside shortcode attributes.
    3 {{{
    4 [caption id="attachment_3" align="alignnone" width="300" caption="[Test Caption"]"]
    5 }}}
     3Common problems for plugin developers include user input containing square braces.  This was even a core bug prior to 3.4 where a caption shortcode would be transformed by the Visual Editor from:
    7 In testing the output end of things, if I remove the extra double quote directly in MySQL, then the caption is not rendered at all on the post.  This suggests there is more than one error in the code that is causing this problem.  I was able to reproduce these symptoms on both versions I tested, 2.9.2 and 3.0.1.
     5{{{[caption id="attachment_3" align="alignnone" width="300" caption="[Test Caption]"]}}}
     7... to ...
     9{{{[caption id="attachment_3" align="alignnone" width="300" caption="[Test Caption"]"]}}}
     11As of 4.2.2, that same shortcode is transformed to:
     13{{{[caption id="attachment_7" align="alignnone" width="300"]"]}}}
     15Other common problems include usage of HTML-special characters for quotations or comparison operators that would need to appear in the attribute value.