[wp-trac] [WordPress Trac] #33102: Shortcodes with Quoted Attributes Break Inside of Quoted HTML Attributes
WordPress Trac
noreply at wordpress.org
Thu Aug 20 01:07:04 UTC 2015
#33102: Shortcodes with Quoted Attributes Break Inside of Quoted HTML Attributes
--------------------------+------------------------------
Reporter: cgrymala | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Shortcodes | Version: 4.2.3
Severity: normal | Resolution:
Keywords: close | Focuses:
--------------------------+------------------------------
Comment (by miyarakira):
To summarize this delightfully tangled thread and lead it to closure..
The original topic was ''Shortcodes with Quoted Attributes Break Inside of
Quoted HTML Attributes''.
{{{
<a href="[shortcode param="value"]">
}}}
To start with, the inner quotes should be 'single' or no quotes. However,
that doesn't matter because from WP 4.2.3, '''all shortcodes inside HTML
attributes are no longer valid''', with or without shortcode parameters.
They are removed, and the result is:
{{{
<a href="">
}}}
So, this is the answer to the original issue: "shortcodes with quoted
attributes inside of quoted HTML attributes" are not allowed anymore.
'''There will not be a fix or patch for this'''.
The recommended solution is to change the shortcode's behavior, to
'''return the whole link or HTML element'''.
Case closed?
----
Several people gave variations of the same use case - shortcodes inside
HTML attributes - including inside of nested shortcodes. These are not
specifically related to the original topic, since they're not using quoted
shortcode parameters. But the answer is the same as above. This latest
comment# 38 is another example. In this case, the shortcode can return the
whole input element, instead of just the value.
In the case of using a shortcode in a `<div>` class (comment# 27), I don't
see an easy answer. Also in the same comment, a different topic was
introduced: the use of shortcodes inside shortcode parameters: `[shortcode
param="[another-shortcode]"]`. I doubt that this can be parsed correctly
without serious regex magic.
----
There was a relevant point raised in comment# 38 by @cgrymala. There are
themes and plugins which provided shortcodes for use in HTML attributes,
most notably in links, and a significant number of websites depended on
this use case. Since going through all previously developed sites to
change these shortcode use cases is not realistic, some of the
theme/plugin developers have resorted to processing their shortcodes
before it gets stripped in `do_shortcode()`.
This is inefficient, and, more importantly, risks reopening the
vulnerability that was addressed by this change in the Shortcode API. The
only feasible solution I see is that these themes/plugins must transition
their user base and provide new shortcodes (or break backward
compatibility with existing shortcodes) so that the whole HTML element is
returned.
Either that, or loosen/improve the restriction to allow safe and valid use
of shortcodes in HTML attributes.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33102#comment:40>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list