[wp-trac] [WordPress Trac] #33102: Shortcodes with Quoted Attributes Break Inside of Quoted HTML Attributes

WordPress Trac noreply at wordpress.org
Thu Aug 20 01:07:04 UTC 2015

#33102: Shortcodes with Quoted Attributes Break Inside of Quoted HTML Attributes
 Reporter:  cgrymala      |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Shortcodes    |     Version:  4.2.3
 Severity:  normal        |  Resolution:
 Keywords:  close         |     Focuses:

Comment (by miyarakira):

 To summarize this delightfully tangled thread and lead it to closure..

 The original topic was ''Shortcodes with Quoted Attributes Break Inside of
 Quoted HTML Attributes''.

 <a href="[shortcode param="value"]">

 To start with, the inner quotes should be 'single' or no quotes. However,
 that doesn't matter because from WP 4.2.3, '''all shortcodes inside HTML
 attributes are no longer valid''', with or without shortcode parameters.
 They are removed, and the result is:

 <a href="">

 So, this is the answer to the original issue: "shortcodes with quoted
 attributes inside of quoted HTML attributes" are not allowed anymore.
 '''There will not be a fix or patch for this'''.

 The recommended solution is to change the shortcode's behavior, to
 '''return the whole link or HTML element'''.

 Case closed?


 Several people gave variations of the same use case - shortcodes inside
 HTML attributes - including inside of nested shortcodes. These are not
 specifically related to the original topic, since they're not using quoted
 shortcode parameters. But the answer is the same as above. This latest
 comment# 38 is another example. In this case, the shortcode can return the
 whole input element, instead of just the value.

 In the case of using a shortcode in a `<div>` class (comment# 27), I don't
 see an easy answer. Also in the same comment, a different topic was
 introduced: the use of shortcodes inside shortcode parameters: `[shortcode
 param="[another-shortcode]"]`.  I doubt that this can be parsed correctly
 without serious regex magic.


 There was a relevant point raised in comment# 38 by @cgrymala. There are
 themes and plugins which provided shortcodes for use in HTML attributes,
 most notably in links, and a significant number of websites depended on
 this use case. Since going through all previously developed sites to
 change these shortcode use cases is not realistic, some of the
 theme/plugin developers have resorted to processing their shortcodes
 before it gets stripped in `do_shortcode()`.

 This is inefficient, and, more importantly, risks reopening the
 vulnerability that was addressed by this change in the Shortcode API. The
 only feasible solution I see is that these themes/plugins must transition
 their user base and provide new shortcodes (or break backward
 compatibility with existing shortcodes) so that the whole HTML element is

 Either that, or loosen/improve the restriction to allow safe and valid use
 of shortcodes in HTML attributes.

Ticket URL: <https://core.trac.wordpress.org/ticket/33102#comment:40>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list