Inline style shortcode for background-image issue #2

[markusfroehlich]

Shortcodes in a style attribute for example:

<div style="background-image: url([my-shortcode id='1']);"></div>

are not working, because in the function "safecss_filter_attr()" (w-includes/kses.php) (Line: 1688), the regex filters the "(" and return an empty string.
I know that this a security restriction is.
But it is it possible to filter the regex pattern with a WordPress filter?

My problem is, that i am writing on an Template WordPress Plugin for Custom Post Types. The Plugin can use the Muffin Builder (Betheme) or Visual Composer.
Now when the users (or employees) want to place a shortcode in the Background Image Field, the shortcode will be ignored because of the safecss_filter_attr() function.
Please give me a help and let me filter the regex pattern.

Thank you very much
Markus

[azaozz]

But is it possible to filter the regex pattern with a WordPress filter?

You mean, so plugins can remove it or make it insecure when they want to? Don't think this is a good idea :)

As I replied to your other ticket, #40744, using shortcodes in HTML attributes is bad idea and is officially not supported. I know that it kind of works, which is unfortunate. However it is considered a bad practice. Look at the example in the ticket above: using a shortcode makes the URL invalid.

I'm actually thinking we should add a filter/scan for similar shortcodes usage in the plugin directory and flag plugins that do it. Then perhaps show a warning on the plugins page that the plugin doesn't follow "best practices".

[hellofromTonya]

Hello @markusfroehlich,

Welcome to Core Trac! Thank you for this suggested enhancement.

Closing this ticket. Why?

• As you noted, filtering the regex pattern is a security concern.
• The lack of regex pattern filtering is intentional.
• As @azaozz noted, shortcodes in HTML attributes is not supported.