[wp-trac] [WordPress Trac] #29810: Prevent HTML Corruption When Shortcodes Are Not Allowed

WordPress Trac noreply at wordpress.org
Tue Sep 30 18:08:30 UTC 2014 

#29810: Prevent HTML Corruption When Shortcodes Are Not Allowed
--------------------------+-----------------------------
 Reporter:  miqrogroove   |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Formatting    |    Version:  2.6
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 Bug #12690 is alive and well.  Only some specific test cases were resolved
 in 4.0.

 The underlying problem is that wptexturize() is not aware of the Shortcode
 API status.  The function effectively treats all input as though it were
 provided by administrator level users without adequate regard to HTML
 sanity.

 Here is a strategy I brainstormed with @azaozz :

 1.  Add a new global variable or a parameter to the wptexturize() function
 that would allow shortcode parsing by default, but limit or disable
 shortcode parsing when not allowed.
 1.  Find all instances where wptexturize() is used in core, starting with
 default-filters.php.
 1.  For any instance where do_shortcode() is not also used (presumably
 every core instance except the_content) set the global variable to limit
 shortcode parsing.
 1.  Inside wptexturize(), limited shortcode parsing means the preg_split
 expression is modified such that HTML is strictly forbidden inside of
 shortcodes.  Disabled shortcode parsing means the shortcode portion of the
 preg_split expression is removed completely and all shortcodes will become
 texturized with other content.

 #29661 is related.  The strategy described above would have no impact on
 shortcode parsing, except in those places where shortcodes are already not
 allowed without a plugin.

 The impact on plugins would be as follows.  A plugin is broken if all of
 the following conditions are true:
 1.  The plugin has hooked do_shortcode() to a filter that we are securing
 with this patch.
 1.  The shortcodes being filtered by both the plugin and by wptexturize()
 contain unescaped HTML-special characters such as angle brackets {{{<>}}}.
 1.  The plugin is not updated with a new filter to re-enable full
 shortcode parsing within wptexturize().

 This would be necessary because, by default, WordPress does not allow
 shortcodes in many areas that are impacted by the wptexturize() function.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/29810>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list