Opened 9 years ago
Last modified 6 years ago
#34983 new defect (bug)
shortcodes not working in input fields
Reported by: | mikelopez | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.4 |
Component: | Shortcodes | Keywords: | |
Focuses: | Cc: |
Description
So here's the gist of it...
Won't work:
<input type="text" value="[shortcode]">
Works:
<input type="text" value=[shortcode]>
At first I thought it's because the shortcode is enclosed in quotes but apparently that's not the case as the both the following work just fine.
<a href="[shortcode]">
<a href=[shortcode]>
Narrowed down the issue to do_shortcodes_in_html_tags()
where I found this:
if ( ( false === $single || $open < $single ) && ( false === $double || $open < $double ) ) { // $attr like '[shortcode]' or 'name = [shortcode]' implies unfiltered_html. // In this specific situation we assume KSES did not run because the input // was written by an administrator, so we should avoid changing the output // and we do not need to run KSES here. $attr = preg_replace_callback( "/$pattern/s", 'do_shortcode_tag', $attr );
What bothers me is the part where it says "assumes KSES did not run because the input was written by an administrator".
Why not really check if an admin did write the input, at least for posts?
Attached is a patch that I did which possibly needs improvement from the WP gods :)
Thanks.
Mike
Attachments (1)
Change History (4)
#2
@
9 years ago
@kraftbj : I don't think it's the same or even similar. #34939 is about [shortcode=xxx]
wherein it's not being processed because there's no space before the =
sign
#3
@
9 years ago
Btw, thanks to @ipstenu for pointing out in Slack that what I'm recommending might be a security problem if say an editor assigns a post to an admin.
Due to that, we can ignore my suggested patch as that's definitely insecure.
Perhaps, instead of not processing the shortcode, maybe we can process the shortcode and run its results against KSES?
Related/same as #34939 (not marking as a duplicate yet since it is a bit different and not sure how the devs want to tackle these.
@ipstenu - this is the same as your report of https://core.trac.wordpress.org/ticket/34939#comment:1