Make WordPress Core

Opened 7 years ago

Closed 3 years ago

#40749 closed enhancement (wontfix)

Inline style shortcode for background-image issue #2

Reported by: markusfroehlich's profile markusfroehlich Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.7.4
Component: General Keywords: close
Focuses: Cc:


Shortcodes in a style attribute for example:

<div style="background-image: url([my-shortcode id='1']);"></div>

are not working, because in the function "safecss_filter_attr()" (w-includes/kses.php) (Line: 1688), the regex filters the "(" and return an empty string.
I know that this a security restriction is.
But it is it possible to filter the regex pattern with a WordPress filter?

My problem is, that i am writing on an Template WordPress Plugin for Custom Post Types. The Plugin can use the Muffin Builder (Betheme) or Visual Composer.
Now when the users (or employees) want to place a shortcode in the Background Image Field, the shortcode will be ignored because of the safecss_filter_attr() function.
Please give me a help and let me filter the regex pattern.

Thank you very much

Change History (2)

#1 @azaozz
7 years ago

  • Keywords close added

But is it possible to filter the regex pattern with a WordPress filter?

You mean, so plugins can remove it or make it insecure when they want to? Don't think this is a good idea :)

As I replied to your other ticket, #40744, using shortcodes in HTML attributes is bad idea and is officially not supported. I know that it kind of works, which is unfortunate. However it is considered a bad practice. Look at the example in the ticket above: using a shortcode makes the URL invalid.

I'm actually thinking we should add a filter/scan for similar shortcodes usage in the plugin directory and flag plugins that do it. Then perhaps show a warning on the plugins page that the plugin doesn't follow "best practices".

#2 @hellofromTonya
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Hello @markusfroehlich,

Welcome to Core Trac! Thank you for this suggested enhancement.

Closing this ticket. Why?

  • As you noted, filtering the regex pattern is a security concern.
  • The lack of regex pattern filtering is intentional.
  • As @azaozz noted, shortcodes in HTML attributes is not supported.
Note: See TracTickets for help on using tickets.