Make WordPress Core

Opened 3 years ago

Closed 2 years ago

#31471 closed enhancement (duplicate)

shortcode_parse_atts has no escape sequence to handle literal quotes within values

Reported by: maximinime Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.5
Component: Shortcodes Keywords: close
Focuses: Cc:


The code uses stripcslashes() on the values already, so making backlslash the escape sequence should produce the same output, unless there is an odd number of backslashes at the end of a quoted value.

Changing the pattern as below means one could use attributes like title="<a href=\"/foo/\">Bar</a>" instead of getting parse errors on title="<a href="/foo/">Bar</a>". (Yes, all those backslashes are right.)

$pattern = '/(\w+)\s*=\s*"([^\\\\"]*(?:\\\\.[^\\\\"]*)*)"(?:\s|$)|(\w+)\s*=\s*\'([^\\\\\']*(?:\\\\.[^\\\\\']*)*)\'(?:\s|$)|(\w+)\s*=\s*([^\s\'"]+)(?:\s|$)|"([^\\\\"]*(?:\\\\.[^\\\\"]*)*)"(?:\s|$)|(\S+)(?:\s|$)/';

Also, the visual mode of the content editor enforces double-quotes on HTML, so using attributes like this title="<a href='/foo/'>Bar</a>" as a workaround can be unwittingly destroyed by later edits.

Change History (6)

#1 @maximinime
3 years ago

An alternative sequence is the good ol' doubling of quotes, which my be more backwards-compatible since the current pattern just matches such input as a single attr/value string, rather than a pair.

$pattern = '/(\w+)\s*=\s*"([^"]*(?:""[^"]*)*)"(?:\s|$)|(\w+)\s*=\s*\'([^\']*(?:\'\'[^\']*)*)\'(?:\s|$)|(\w+)\s*=\s*([^\s\'"]+)(?:\s|$)|"([^"]*(?:""[^"]*)*)"(?:\s|$)|(\S+)(?:\s|$)/';

This would allow escaping of input like so: title="<a href=""/foo/"">Bar</a>". The doubled quotes would have to be removed from the input after stripcslashes(), but that's a simple str_replace('""', '"', ...) or str_replace("''", "'", ...) depending on which quote style was matched.

#2 @DrewAPicture
2 years ago

  • Version changed from trunk to 2.5

This ticket was mentioned in Slack in #core by jorbin. View the logs.

2 years ago

#4 @azaozz
2 years ago

  • Keywords close added

Shortcodes "live" in the same context as HTML and *should* follow the same rules. It is bad idea to store raw HTML in shortcode attributes. I know it kind of works currently but we should be removing it rather than trying to fix it and make the regex even slower and buggier.

#5 @miqrogroove
2 years ago

  • Type changed from defect (bug) to enhancement

Please see the specification at https://codex.wordpress.org/Shortcode_API#Attributes

Quotes are not allowed inside attributes. This is not a bug. We have a ticket for escaping data already at #15694.

#6 @miqrogroove
2 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #15694.

I have updated the Summary on the other ticket to indicate quotes as part of that issue.

Note: See TracTickets for help on using tickets.