Opened 10 years ago
Closed 10 years ago
#31471 closed enhancement (duplicate)
shortcode_parse_atts has no escape sequence to handle literal quotes within values
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 2.5 |
Component: | Shortcodes | Keywords: | close |
Focuses: | Cc: |
Description
The code uses stripcslashes()
on the values already, so making backlslash the escape sequence should produce the same output, unless there is an odd number of backslashes at the end of a quoted value.
Changing the pattern as below means one could use attributes like title="<a href=\"/foo/\">Bar</a>"
instead of getting parse errors on title="<a href="/foo/">Bar</a>"
. (Yes, all those backslashes are right.)
$pattern = '/(\w+)\s*=\s*"([^\\\\"]*(?:\\\\.[^\\\\"]*)*)"(?:\s|$)|(\w+)\s*=\s*\'([^\\\\\']*(?:\\\\.[^\\\\\']*)*)\'(?:\s|$)|(\w+)\s*=\s*([^\s\'"]+)(?:\s|$)|"([^\\\\"]*(?:\\\\.[^\\\\"]*)*)"(?:\s|$)|(\S+)(?:\s|$)/';
Also, the visual mode of the content editor enforces double-quotes on HTML, so using attributes like this title="<a href='/foo/'>Bar</a>"
as a workaround can be unwittingly destroyed by later edits.
Change History (6)
This ticket was mentioned in Slack in #core by jorbin. View the logs.
10 years ago
#4
@
10 years ago
- Keywords close added
Shortcodes "live" in the same context as HTML and *should* follow the same rules. It is bad idea to store raw HTML in shortcode attributes. I know it kind of works currently but we should be removing it rather than trying to fix it and make the regex even slower and buggier.
#5
@
10 years ago
- Type changed from defect (bug) to enhancement
Please see the specification at https://codex.wordpress.org/Shortcode_API#Attributes
Quotes are not allowed inside attributes. This is not a bug. We have a ticket for escaping data already at #15694.
An alternative sequence is the good ol' doubling of quotes, which my be more backwards-compatible since the current pattern just matches such input as a single attr/value string, rather than a pair.
This would allow escaping of input like so:
title="<a href=""/foo/"">Bar</a>"
. The doubled quotes would have to be removed from the input afterstripcslashes()
, but that's a simplestr_replace('""', '"', ...)
orstr_replace("''", "'", ...)
depending on which quote style was matched.