WordPress.org

Make WordPress Core

Opened 6 months ago

Last modified 6 months ago

#40749 new enhancement

Inline style shortcode for background-image issue #2

Reported by: markusfroehlich Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.7.4
Component: General Keywords: close
Focuses: Cc:

Description

Shortcodes in a style attribute for example:

<div style="background-image: url([my-shortcode id='1']);"></div>

are not working, because in the function "safecss_filter_attr()" (w-includes/kses.php) (Line: 1688), the regex filters the "(" and return an empty string.
I know that this a security restriction is.
But it is it possible to filter the regex pattern with a WordPress filter?

My problem is, that i am writing on an Template WordPress Plugin for Custom Post Types. The Plugin can use the Muffin Builder (Betheme) or Visual Composer.
Now when the users (or employees) want to place a shortcode in the Background Image Field, the shortcode will be ignored because of the safecss_filter_attr() function.
Please give me a help and let me filter the regex pattern.

Thank you very much
Markus

Change History (1)

#1 @azaozz
6 months ago

  • Keywords close added

But is it possible to filter the regex pattern with a WordPress filter?

You mean, so plugins can remove it or make it insecure when they want to? Don't think this is a good idea :)

As I replied to your other ticket, #40744, using shortcodes in HTML attributes is bad idea and is officially not supported. I know that it kind of works, which is unfortunate. However it is considered a bad practice. Look at the example in the ticket above: using a shortcode makes the URL invalid.

I'm actually thinking we should add a filter/scan for similar shortcodes usage in the plugin directory and flag plugins that do it. Then perhaps show a warning on the plugins page that the plugin doesn't follow "best practices".

Note: See TracTickets for help on using tickets.