[wp-trac] [WordPress Trac] #29658: Curly quotes injected into short code attributes when special characters present

WordPress Trac noreply at wordpress.org
Sat Sep 13 14:15:08 UTC 2014 

#29658: Curly quotes injected into short code attributes when special characters
present
--------------------------+------------------------------
 Reporter:  msimpson      |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  General       |     Version:  4.0
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
--------------------------+------------------------------
Description changed by ocean90:

Old description:

> WP 4.0, Theme: Twenty Fourteen 1.2
>
> Given this short code, that simply displays the short code attributes
> passed in:
>
> {{{
> function showattributes($atts, $content = null) {
>     echo '<code>';
>     foreach ($atts as $name => $value) {
>         echo "$name=$value\n";
>     }
>     echo '</code>';
> }
> add_shortcode('quotebug', 'showattributes');
> }}}
>

> == (1) Case that works as expected ==
> 1. Create a WP Post, Editor in '''Text''' mode (not Visual)
> 2. Put in this short code and preview
>
> {{{
> [quotebug a="x_0" b="x_0" c="hello"]
> }}}
>
> 3. Yields expected output
>
> {{{
> a=x_0 b=x_0 c=hello
> }}}
>

> == (2) Bug: Case that injects curly quotes (not expected) ==
> Same as previous scenario, but we will have special characters like
> ampersand and greater-than in the short code attributes
> 1. Create a WP Post, Editor in '''Text''' mode (not Visual)
> 2. Put in this short code and preview
> [[quotebug a="x>0" b="x&0" d="hello"]]
> 3. Yields output where all the values have curly-quotes injected in them.
> This confounds the short code which is not expecting quotes in the values
> it gets passed in.
>
> {{{
> a=”x>0″ b=”x&0″ d=”hello”
> }}}
>

> == (3) Switching to Visual mode changes the behavior ==
> 1. Given the previous example (2), simply switch the editor to
> '''Visual''' mode
> 2. Preview the post. It yields the expected output (no quotes) like the
> first example (1).
> 3. Toggle back to '''Text''' mode. You see that the special characters
> have been changed to their html-entity codes.
> 4. Previewing again yields the expected (no quotes) output (1).
>
> == Impact ==
> As a plugin author with short codes, a number of my users are complaining
> that their short codes no longer work. Presumably they entered the short
> code in '''Text''' edit mode. They don't want to find all the short codes
> that they (or their clients) have used across various posts and web sites
> to toggle to Visual and re-save. I'm forced to put code in my plugin's
> short codes to try to detect and strip out curly quotes. However if the
> quotes were intended by the user, then my code will incorrectly strip
> them out. It creates an ambiguity.

New description:

 WP 4.0, Theme: Twenty Fourteen 1.2

 Given this short code, that simply displays the short code attributes
 passed in:

 {{{
 function showattributes($atts, $content = null) {
     echo '<code>';
     foreach ($atts as $name => $value) {
         echo "$name=$value\n";
     }
     echo '</code>';
 }
 add_shortcode('quotebug', 'showattributes');
 }}}


 == (1) Case that works as expected ==
 1. Create a WP Post, Editor in '''Text''' mode (not Visual)
 2. Put in this short code and preview

 {{{
 [quotebug a="x_0" b="x_0" c="hello"]
 }}}

 3. Yields expected output

 {{{
 a=x_0 b=x_0 c=hello
 }}}


 == (2) Bug: Case that injects curly quotes (not expected) ==
 Same as previous scenario, but we will have special characters like
 ampersand and greater-than in the short code attributes
 1. Create a WP Post, Editor in '''Text''' mode (not Visual)
 2. Put in this short code and preview

 {{{
 [quotebug a="x>0" b="x&0" d="hello"]
 }}}

 3. Yields output where all the values have curly-quotes injected in them.
 This confounds the short code which is not expecting quotes in the values
 it gets passed in.

 {{{
 a=”x>0″ b=”x&0″ d=”hello”
 }}}


 == (3) Switching to Visual mode changes the behavior ==
 1. Given the previous example (2), simply switch the editor to
 '''Visual''' mode
 2. Preview the post. It yields the expected output (no quotes) like the
 first example (1).
 3. Toggle back to '''Text''' mode. You see that the special characters
 have been changed to their html-entity codes.
 4. Previewing again yields the expected (no quotes) output (1).

 == Impact ==
 As a plugin author with short codes, a number of my users are complaining
 that their short codes no longer work. Presumably they entered the short
 code in '''Text''' edit mode. They don't want to find all the short codes
 that they (or their clients) have used across various posts and web sites
 to toggle to Visual and re-save. I'm forced to put code in my plugin's
 short codes to try to detect and strip out curly quotes. However if the
 quotes were intended by the user, then my code will incorrectly strip them
 out. It creates an ambiguity.

--

--
Ticket URL: <https://core.trac.wordpress.org/ticket/29658#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list