[wp-trac] [WordPress Trac] #15694: Shortcode I/O Intolerant of "]", "<", Quotes, etc.

WordPress Trac noreply at wordpress.org
Fri Jul 24 05:37:55 UTC 2015


#15694: Shortcode I/O Intolerant of "]", "<", Quotes, etc.
------------------------------------------+-----------------------------
 Reporter:  miqrogroove                   |       Owner:  miqrogroove
     Type:  defect (bug)                  |      Status:  assigned
 Priority:  normal                        |   Milestone:  Future Release
Component:  Shortcodes                    |     Version:  3.0.1
 Severity:  normal                        |  Resolution:
 Keywords:  needs-patch needs-unit-tests  |     Focuses:  javascript
------------------------------------------+-----------------------------

Comment (by chriscct7):

 Replying to [comment:36 injira]:
 > Replying to [comment:33 chriscct7]:
 > For most of the thousands of users who have broken sites because of this
 it is a critical issue.

 Those users will need to wait for an update from their plugin authors to
 update their plugins to follow the Shortcode API guidelines.

 Alot of the comments on this ticket over the last 24 hours are factually
 incorrect.

 The code committed in this ticket was reviewed by the security team for a
 very very long time. The policy of the security team is not to comment on
 security issues until after the team is convinced the majority of the
 sites that are affected have updated. So I won't discuss the reasoning for
 the update, other than to point out that as stated on the
 make.wordpress.org article, there was not an opportunity to alert the
 plugins authors ahead of time, or to have the code in trunk well ahead of
 time without putting the security of websites in danger.

 That being said this change only broke sites that utilize a handful of
 plugins that encouraged a use of shortcodes (within HTML attributes) for
 which the Shortcode API was never intended or designed to be used (see the
 other make.wordpress.org post for that).

 > The idea of having these auto-updates when they began was not to make
 any significant changes that would break people’s sites without a dire
 need and plenty of notice about new guidelines.

 Out of all of the updates that have been autopushed, personally this is
 the one I agree with that decision the most.

 > This track begins 5 years ago.

 This ticket 5 years ago had nothing to do with what 4.2.3 was about today.
 The original reason for the ticket was invalid (as the diff reflects). And
 this ticket isn't the one that was in 4.2.3.

 > More or less simultaneously, in forums there are statements that
 "WordPress has disabled the security update from further being installed
 while they address this issue"

 No core contributor to the project or core team member ever said that. The
 security release was never  at any point disabled. There was a person
 spreading a rumor about that in the forum. Purely FUD. I believe that user
 is now on modlock as a result.

 And finally this ticket, while related, is not the changes made for 4.2.3,
 so with that being said, if you would like to talk about the 4.2.3 issues,
 the proper venue is the forum on WordPress.org, not here. This is an
 unrelated ticket.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/15694#comment:38>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list