Make WordPress Core

Opened 11 years ago

Last modified 6 years ago

#15694 closed defect (bug)

Shortcode I/O Intolerant of "]", "<", Quotes, etc. — at Version 15

Reported by: miqrogroove Owned by: miqrogroove
Milestone: Priority: normal
Severity: normal Version: 3.0.1
Component: Shortcodes Keywords:
Focuses: Cc:

Description (last modified by miqrogroove)

There are no shortcode input escaping functions available in core even though the Shortcode API is increasingly strict about not allowing special characters inside shortcode attributes.

Common problems for plugin developers include user input containing square braces. This was even a core bug prior to 3.4 where a caption shortcode would be transformed by the Visual Editor from:

[caption id="attachment_3" align="alignnone" width="300" caption="[Test Caption]"]

... to ...

[caption id="attachment_3" align="alignnone" width="300" caption="[Test Caption"]"]

As of 4.2.2, that same shortcode is transformed to:

[caption id="attachment_7" align="alignnone" width="300"]"]

Other common problems include usage of HTML-special characters for quotations or comparison operators that would need to appear in the attribute value.

Change History (16)

#1 @nacin
11 years ago

  • Milestone changed from Awaiting Review to Future Release

#2 @solarissmoke
11 years ago

The problem is with the regex in get_shortcode_regex() which assumes that the first ] it comes across is the end of a shortcode tag, and it ignores the rest, thus breaking things.

For now I've added a note in the codex saying that the parser can't handle square brackets in attributes. Can't think of a way to fix this without making the regex a whole lot more complicated.

#4 @hidgw
10 years ago

  • Cc hidgw added

#5 @azaozz
10 years ago

The shortcodes work similarly to HTML with [ and ] being the equivalent of < and >. In that terms shortcodes cannot contain square brackets the same way HTML tags cannot contain "less than" and "greater than" chars. If they must be used, they need to be encoded/replaced with entities.

This ticket was mentioned in IRC in #wordpress-dev by miqrogroove. View the logs.

7 years ago

This ticket was mentioned in IRC in #wordpress-dev by miqrogroove. View the logs.

7 years ago

#8 @miqrogroove
7 years ago

  • Keywords needs-patch needs-unit-tests 4.2-early added

We need to fix this soon and add appropriate escape/unescape functions to the API. Consider it at the top of my to do list.

#9 @obenland
7 years ago

  • Owner set to miqrogroove
  • Status changed from new to assigned

#10 @obenland
7 years ago

  • Keywords 4.2-early removed
  • Milestone changed from Future Release to 4.3

#11 @miqrogroove
7 years ago

  • Focuses javascript added
  • Keywords changed from needs-patch, needs-unit-tests to needs-patch needs-unit-tests
  • Priority changed from normal to high
  • Summary changed from Caption Shortcode I/O Intolerant of "]" Char to Shortcode I/O Intolerant of "]", "<", Quotes, etc.

#12 @miqrogroove
7 years ago

#29608 was marked as a duplicate.

#13 @miqrogroove
7 years ago

#31471 was marked as a duplicate.

#14 @miqrogroove
7 years ago

Did some research on this today. The original ticket description is obsolete because as of https://codex.wordpress.org/Version_3.4 there are no longer any user inputs in the default shortcode attribute values.

Since this issue does not affect the core shortcodes, this has become purely an API problem for plugin developers.

#15 @miqrogroove
7 years ago

  • Description modified (diff)
Note: See TracTickets for help on using tickets.