[wp-trac] [WordPress Trac] #33134: Complex Nested Shortcodes Inside of Attributes Are Not Processed Left-to-Right
WordPress Trac
noreply at wordpress.org
Mon Jul 27 07:48:41 UTC 2015
#33134: Complex Nested Shortcodes Inside of Attributes Are Not Processed Left-to-
Right
--------------------------+------------------------------
Reporter: miqrogroove | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Shortcodes | Version: 4.2.3
Severity: normal | Resolution:
Keywords: | Focuses:
--------------------------+------------------------------
Comment (by minderdl):
Since I don't know about the security hole you fixed with changeset
[33359] (if someone can enlighten me send me a PM) I don't know if the
following would re-introduce the hole:
It would be possible to distinguish between a non-closing shortcode, a
self-closing shortcode and a wrapping (or nested) shortcode. All parts are
already there in the regex returned by get_shortcode_regex().
So, IMO it would no be a problem finding the wrapping/nested shortcodes
first and handling them, and in a second step the other shortcodes with
all the checks you are doing now (i.e. quotation nesting).
I agree that something like this would be possible then:
{{{
<sometag attr="[shortcode]">
...<someothertags>...
[/shortcode]
}}}
which probably returns a completely wrong output - but as long as it is
not a security issue we should not prevent all stupidity of users :-)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33134#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list