[wp-trac] [WordPress Trac] #33102: Shortcodes with Quoted Attributes Break Inside of Quoted HTML Attributes
WordPress Trac
noreply at wordpress.org
Thu Jul 23 23:41:12 UTC 2015
#33102: Shortcodes with Quoted Attributes Break Inside of Quoted HTML Attributes
--------------------------+------------------------------
Reporter: cgrymala | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Shortcodes | Version: 4.2.3
Severity: normal | Resolution:
Keywords: needs-patch | Focuses:
--------------------------+------------------------------
Comment (by cgrymala):
Out of curiosity, would it be more effective or less effective as a
security fix if we were to quarantine the HTML tag first, then process its
shortcodes, then evaluate its validity/safety, rather than trying to
evaluate its validity/safety prior to processing the shortcodes inside?
I honestly don't know the answer, as I'm not privy to a lot of the
decision-making behind this change, but I am curious.
For instance, instead of running `wp_kses_hair_parse()` on the original
code that includes un-processed shortcodes, run it after
processing/parsing the shortcodes.
As another possibility, maybe we could quarantine/replace all of the
shortcodes inside of the HTML tag first, replacing them with placeholders
(as you're already doing above with the HTML tags themselves), run
`wp_kses_hair_parse()` on the HTML tag with the placeholders, then put the
shortcodes back in?
It seems like these ideas could potentially solve the problem people are
experiencing, but I have no idea whether they'd potentially re-introduce
the security issues that these changes fixed. Thanks.
Also, to clarify, I understand that my original example could be somewhat
confusing (without knowing my specific use-case, it can seem like a pretty
stupid way to write a shortcode), but there are plenty of valid, non-
confusing examples out there.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33102#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list