Make WordPress Core

Opened 8 years ago

Last modified 5 years ago

#34983 new defect (bug)

shortcodes not working in input fields

Reported by: mikelopez's profile mikelopez Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.4
Component: Shortcodes Keywords:
Focuses: Cc:


So here's the gist of it...

Won't work:
<input type="text" value="[shortcode]">

<input type="text" value=[shortcode]>

At first I thought it's because the shortcode is enclosed in quotes but apparently that's not the case as the both the following work just fine.

<a href="[shortcode]">
<a href=[shortcode]>

Narrowed down the issue to do_shortcodes_in_html_tags() where I found this:

if ( ( false === $single || $open < $single ) && ( false === $double || $open < $double ) ) {
	// $attr like '[shortcode]' or 'name = [shortcode]' implies unfiltered_html.
	// In this specific situation we assume KSES did not run because the input
	// was written by an administrator, so we should avoid changing the output
	// and we do not need to run KSES here.
	$attr = preg_replace_callback( "/$pattern/s", 'do_shortcode_tag', $attr );

What bothers me is the part where it says "assumes KSES did not run because the input was written by an administrator".

Why not really check if an admin did write the input, at least for posts?

Attached is a patch that I did which possibly needs improvement from the WP gods :)



Attachments (1)

wp-includes_shortcodes.php.patch (396 bytes) - added by mikelopez 8 years ago.

Download all attachments as: .zip

Change History (4)

#1 @kraftbj
8 years ago

Related/same as #34939 (not marking as a duplicate yet since it is a bit different and not sure how the devs want to tackle these.

@ipstenu - this is the same as your report of

#2 @mikelopez
8 years ago

@kraftbj : I don't think it's the same or even similar. #34939 is about [shortcode=xxx] wherein it's not being processed because there's no space before the = sign

#3 @mikelopez
8 years ago

Btw, thanks to @ipstenu for pointing out in Slack that what I'm recommending might be a security problem if say an editor assigns a post to an admin.

Due to that, we can ignore my suggested patch as that's definitely insecure.

Perhaps, instead of not processing the shortcode, maybe we can process the shortcode and run its results against KSES?

Note: See TracTickets for help on using tickets.