[wp-trac] [WordPress Trac] #33102: Shortcodes with Quoted Attributes Break Inside of Quoted HTML Attributes

Thu Aug 20 03:07:19 UTC 2015

#33102: Shortcodes with Quoted Attributes Break Inside of Quoted HTML Attributes
--------------------------+------------------------------
 Reporter:  cgrymala      |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Shortcodes    |     Version:  4.2.3
 Severity:  normal        |  Resolution:
 Keywords:  close         |     Focuses:
--------------------------+------------------------------

Comment (by miyarakira):

 Prior to WP 4.2.3, shortcode parameters could use single or no quotes
 inside HTML attributes:

 {{{
 <html attr="[shortcode param='value']">
 <html attr="[shortcode param=value]">
 }}}

 I agree that it won't make sense to allow double quotes.

 ---

 My point about loosening restrictions was more general, to allow
 shortcodes in HTML attributes in a safe and valid way. This would restore
 previously allowed use cases, while still keeping it secure. It's
 encouraging to hear that it may be possible by user or capability basis.
 I'm sure other people would be interested in this solution.

 This seems to be a part of what's proposed in #33134. The example given
 there is about nested shortcodes, but there is a common point of how to
 handle this:

 {{{
 <html attr="[dependent]">
 }}}

 Prior to WP 4.2.3,  `do_shortcode()` - in ''the_content'' filter or within
 another shortcode - resulted in:

 {{{
 <html attr="some dynamic value">
 }}}

 Since the change in the Shortcode API, shortcodes inside HTML attributes
 are stripped, regardless of being nested or not. The result being:

 {{{
 <html attr="">
 }}}

 I understand this is to prevent malicious use of the shortcode syntax. As
 you suggested, there could be a less drastic way, by '''allowing trusted
 users to continue using shortcodes in HTML attributes'''. I imagine it can
 be allowed inside posts whose author has sufficient capability. The same
 goes for nested shortcodes, and if do_shortcode() is used inside PHP
 templates, well, if they can run PHP then they already have sufficient
 privileges, so it should be safe to allow the use of shortcodes inside
 HTML attributes.

 The question is, how will `do_shortcode()` determine if the content came
 from an untrusted user with insufficient privileges. It seems to me that
 this is the only context when it's necessary to prevent this shortcode use
 case.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/33102#comment:42>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform