[wp-trac] [WordPress Trac] #28564: Shortcode Attributes with HTML Tags no longer working

WordPress Trac noreply at wordpress.org
Wed Jun 25 12:02:33 UTC 2014 

#28564: Shortcode Attributes with HTML Tags no longer working
------------------------------------------+-----------------------------
 Reporter:  baden03                       |       Owner:  wonderboymusic
     Type:  defect (bug)                  |      Status:  reopened
 Priority:  high                          |   Milestone:  4.0
Component:  Formatting                    |     Version:  trunk
 Severity:  major                         |  Resolution:
 Keywords:  has-patch commit wptexturize  |     Focuses:
------------------------------------------+-----------------------------

Comment (by kitchin):

 I'm not sure why we're texturizing shortcode attributes at all. The
 problem in comment-3 is solved by searching left to right for the next
 `]`, since we later agreed `[` and `]` must be escaped within a shortcode.

 ''Real world example...'' I tested a plugin that uses jQuery Cycle2. It
 did break, though I doubt anyone is using it in the way that breaks it.
 But here goes. The shortcode for the Testimonial Rotator plugin is like
 this:
 `[testimonial_rotator id="99"]`
 There is an attribute "div_selector" with default value "> div.slide". So
 the shortcode above should be equivalent to:
 `[testimonial_rotator id="99" div_selector="> div.slide"]`
 In WP 3.9.1, the $content passed to do_shortcode() is exactly that.
 In trunk, $content is:
 `[testimonial_rotator id=”99″ div_selector=”>
 div.slide”]`

 ''Valid html...'' The jQuery Cycle2 plugin is pretty standard. Its
 examples use this type of html:
 {{{
 <!DOCTYPE html>
 <html><head><meta charset="UTF-8"><title>test</title></head><body>
 <div id="testimonial_rotator_99" data-cycletwo-slides="> div.slide"></div>
 </body></html>
 }}}
 You can paste that into http://validator.w3.org/#validate_by_input and see
 it is valid. I don't like it, and I think that Cycle2 should allow an
 escaped value but it does not. If I recall correctly, the author told me,
 hey it's valid HTML, and did not understand sometimes people like to
 simple quick parsing.

 ''What is the issue...'' Don't have a clear spec for what we're trying to
 do. Don't know how to address comment:14, Nacin's "needs a security
 review."

--
Ticket URL: <https://core.trac.wordpress.org/ticket/28564#comment:22>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list