[wp-trac] [WordPress Trac] #31471: shortcode_parse_atts has no escape sequence to handle literal quotes within values

Fri Feb 27 04:39:42 UTC 2015

#31471: shortcode_parse_atts has no escape sequence to handle literal quotes within
values
--------------------------+-----------------------------
 Reporter:  maximinime    |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Shortcodes    |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 The code uses {{{stripcslashes()}}} on the values already, so making
 backlslash the escape sequence should produce the same output, unless
 there is an odd number of backslashes at the end of a quoted value.

 Changing the pattern as below means one could use attributes like
 {{{title="<a href=\"/foo/\">Bar</a>"}}} instead of getting parse errors on
 {{{title="<a href="/foo/">Bar</a>"}}}. (Yes, all those backslashes are
 right.)

 {{{
 $pattern =
 '/(\w+)\s*=\s*"([^\\\\"]*(?:\\\\.[^\\\\"]*)*)"(?:\s|$)|(\w+)\s*=\s*\'([^\\\\\']*(?:\\\\.[^\\\\\']*)*)\'(?:\s|$)|(\w+)\s*=\s*([^\s\'"]+)(?:\s|$)|"([^\\\\"]*(?:\\\\.[^\\\\"]*)*)"(?:\s|$)|(\S+)(?:\s|$)/';
 }}}

 Also, the visual mode of the content editor enforces double-quotes on
 HTML, so using attributes like this {{{title="<a href='/foo/'>Bar</a>"}}}
 as a workaround can be unwittingly destroyed by later edits.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/31471>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform