Opened 2 years ago
Last modified 2 years ago
#40749 new enhancement
Inline style shortcode for background-image issue #2
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | 4.7.4 |
| Component: | General | Keywords: | close |
| Focuses: | Cc: | ||
| PR Number: |
Description
Shortcodes in a style attribute for example:
<div style="background-image: url([my-shortcode id='1']);"></div>
are not working, because in the function "safecss_filter_attr()" (w-includes/kses.php) (Line: 1688), the regex filters the "(" and return an empty string.
I know that this a security restriction is.
But it is it possible to filter the regex pattern with a WordPress filter?
My problem is, that i am writing on an Template WordPress Plugin for Custom Post Types. The Plugin can use the Muffin Builder (Betheme) or Visual Composer.
Now when the users (or employees) want to place a shortcode in the Background Image Field, the shortcode will be ignored because of the safecss_filter_attr() function.
Please give me a help and let me filter the regex pattern.
Thank you very much
Markus
You mean, so plugins can remove it or make it insecure when they want to? Don't think this is a good idea :)
As I replied to your other ticket, #40744, using shortcodes in HTML attributes is bad idea and is officially not supported. I know that it kind of works, which is unfortunate. However it is considered a bad practice. Look at the example in the ticket above: using a shortcode makes the URL invalid.
I'm actually thinking we should add a filter/scan for similar shortcodes usage in the plugin directory and flag plugins that do it. Then perhaps show a warning on the plugins page that the plugin doesn't follow "best practices".