Opened 11 years ago
Last modified 10 days ago
#26649 reopened defect (bug)
escaped shortcodes should not be expanded during 'get_the_excerpt'
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Future Release | Priority: | normal |
| Severity: | normal | Version: | 3.7.1 |
| Component: | Shortcodes | Keywords: | has-patch good-first-bug has-unit-tests |
| Focuses: | Cc: |
Description
It is possible for "the_content" filter to be invoked while processing "get_the_excerpt".
If the do_shortcodes() filter hook is attached to both "the_content" and "get_the_excerpt" then this can lead to an unexpected expansion of an escaped shortcode.
This can lead to unwanted side effects, as reported here.
http://www.oik-plugins.com/2013/12/escaped-shortcodes-unexpectedly-expanded-get_the_excerpt/
This minor problem can be alleviated by a simple change to strip_shortcode_tag(), returning the HTML code [ as the first character rather than the left square bracket.
function strip_shortcode_tag( $m ) {
// allow [[foo]] syntax for escaping a tag
if ( $m[1] == '[' && $m[6] == ']' ) {
return "[" . substr($m[0], 2, -1) ;
}
return $m[1] . $m[6];
}
I don't believe that it's necessary to make the same change in do_shortcode_tag().
Attachments (1)
Change History (15)
#1
@
11 years ago
- Milestone Awaiting Review deleted
- Resolution set to duplicate
- Status changed from new to closed
Duplicate of #19927.
#2
follow-up:
↓ 3
@
11 years ago
- Resolution duplicate deleted
- Status changed from closed to reopened
Hi Sergey. Thanks for finding 19927 for me. I wondered why my patch had two changes.
The change in 19927 is for do_shortcode_tag()
The second part of the change, in 26649, is for strip_shortcode_tag().
The problem is not exactly a duplicate as the fix for 26649 handles the situation where shortcodes are being removed.
The patch for 26649 will work for 19927 but not vice-versa.
How should this be addressed?
#3
in reply to:
↑ 2
@
11 years ago
- Milestone set to Awaiting Review
Replying to bobbingwide:
The patch for 26649 will work for 19927 but not vice-versa.
I see, thanks for the clarification. Let's close #19927 in favor if this ticket then.
#7
@
2 weeks ago
I tend to agree that simply encoding the shortcode as text makes sense, as that's what the string is after strip_shortcodes() has run.
I would not expect the encoded shortcode to be completely removed, nor would I expect it to be escaped still, so encoding it such that do_shortcode( strip_shortcode( '[[example]]' ) ) doesn't execute the example shortcode makes sense to me.
#8
@
11 days ago
- Keywords has-patch needs-refresh good-first-bug added; needs-patch removed
- Milestone set to Future Release
This ticket was mentioned in PR #8221 on WordPress/wordpress-develop by @sukhendu2002.
11 days ago
#9
- Keywords needs-refresh removed
Trac ticket: https://core.trac.wordpress.org/ticket/26649
This ticket was mentioned in Slack in #core by michaelwp85. View the logs.
10 days ago
This ticket was mentioned in PR #8231 on WordPress/wordpress-develop by @michaelwp85.
10 days ago
#12
- Keywords has-unit-tests added; needs-unit-tests needs-refresh removed
Converts escaped shortcodes [[example]] into [example] to prevent do_shortcode from ever executing the shortcode.
Trac ticket: https://core.trac.wordpress.org/ticket/26649
#13
@
10 days ago
I've created a pull request with a fix and updated unit tests.
There is one scenario in which I revert the html entities back into brackets, this is when an escaped shortcode is used inside an attribute. Specifically for this test scenario: <div style="selector:url([[gallery]])">
If I do not revert the HTML entities will interfere with the processing of safecss_filter_attr stripping the code.
patch for 26649