WordPress.org
Get WordPress

Make WordPress Core

Changes between Version 1 and Version 2 of Ticket #33102, comment 42


Ignore:
Timestamp:
08/20/2015 03:15:45 AM (10 years ago)
Author:
miyarakira
Comment:

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #33102, comment 42

    v1 v2  
    3131}}}
    3232
    33 I understand this is to prevent malicious use of the shortcode syntax. As you suggested, there could be a less drastic way, by '''allowing trusted users to continue using shortcodes in HTML attributes'''. I imagine it can be allowed inside posts whose author has sufficient capability. The same goes for nested shortcodes, and if do_shortcode() is used inside PHP templates, well, if they can run PHP then they already have sufficient privileges, so it should be safe to allow the use of shortcodes inside HTML attributes. (..unless untrusted content is put through do_shortcode..hmm..)
     33I understand this is to prevent malicious use of the shortcode syntax. As you suggested, there could be a less drastic way, by '''allowing trusted users to continue using shortcodes in HTML attributes'''. I imagine it can be allowed inside posts whose author has sufficient capability. The same goes for nested shortcodes, and if do_shortcode() is used inside PHP templates, well, if they can run PHP then they already have sufficient privileges, so it should be safe to allow the use of shortcodes inside HTML attributes. (Edit: ..unless untrusted content is put through do_shortcode..hmm..)
    3434
    3535The question is, how will `do_shortcode()` determine if the content came from an untrusted user with insufficient privileges. It seems to me that this is the only context when it's necessary to prevent this shortcode use case.