[wp-trac] [WordPress Trac] #15694: Shortcode I/O Intolerant of "]", "<", Quotes, etc.

WordPress Trac noreply at wordpress.org
Sat May 23 22:12:37 UTC 2015 

#15694: Shortcode I/O Intolerant of "]", "<", Quotes, etc.
------------------------------------------+--------------------------
 Reporter:  miqrogroove                   |       Owner:  miqrogroove
     Type:  defect (bug)                  |      Status:  assigned
 Priority:  high                          |   Milestone:  4.3
Component:  Shortcodes                    |     Version:  3.0.1
 Severity:  normal                        |  Resolution:
 Keywords:  needs-patch needs-unit-tests  |     Focuses:  javascript
------------------------------------------+--------------------------
Description changed by miqrogroove:

Old description:

> I've discovered that the "]" character can only be used in the media
> library itself.  If I try to insert an image into a post using a caption
> like "[Test Caption]" then the post editor inserts three double quotes
> into the HTML attribute, invalidating the page markup.  D:
>
> {{{
> [caption id="attachment_3" align="alignnone" width="300" caption="[Test
> Caption"]"]
> }}}
>
> In testing the output end of things, if I remove the extra double quote
> directly in MySQL, then the caption is not rendered at all on the post.
> This suggests there is more than one error in the code that is causing
> this problem.  I was able to reproduce these symptoms on both versions I
> tested, 2.9.2 and 3.0.1.

New description:

 There are no shortcode input escaping functions available in core even
 though the Shortcode API is increasingly strict about not allowing special
 characters inside shortcode attributes.

 Common problems for plugin developers include user input containing square
 braces.  This was even a core bug prior to 3.4 where a caption shortcode
 would be transformed by the Visual Editor from:

 {{{[caption id="attachment_3" align="alignnone" width="300" caption="[Test
 Caption]"]}}}

 ... to ...

 {{{[caption id="attachment_3" align="alignnone" width="300" caption="[Test
 Caption"]"]}}}

 As of 4.2.2, that same shortcode is transformed to:

 {{{[caption id="attachment_7" align="alignnone" width="300"]"]}}}

 Other common problems include usage of HTML-special characters for
 quotations or comparison operators that would need to appear in the
 attribute value.

--

--
Ticket URL: <https://core.trac.wordpress.org/ticket/15694#comment:15>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list