Make WordPress Core

Changes between Version 2 and Version 3 of Ticket #33102, comment 42


Ignore:
Timestamp:
08/20/2015 03:16:26 AM (9 years ago)
Author:
miyarakira
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #33102, comment 42

    v2 v3  
    3333I understand this is to prevent malicious use of the shortcode syntax. As you suggested, there could be a less drastic way, by '''allowing trusted users to continue using shortcodes in HTML attributes'''. I imagine it can be allowed inside posts whose author has sufficient capability. The same goes for nested shortcodes, and if do_shortcode() is used inside PHP templates, well, if they can run PHP then they already have sufficient privileges, so it should be safe to allow the use of shortcodes inside HTML attributes. (Edit: ..unless untrusted content is put through do_shortcode..hmm..)
    3434
    35 The question is, how will `do_shortcode()` determine if the content came from an untrusted user with insufficient privileges. It seems to me that this is the only context when it's necessary to prevent this shortcode use case.
     35The question is, how can `do_shortcode()` determine if the content came from an untrusted user with insufficient privileges. It seems to me that this is the only context when it's necessary to prevent this shortcode use case.