[wp-trac] [WordPress Trac] #33116: do_shortcode('<[shortcode]') doesn't work

WordPress Trac noreply at wordpress.org
Mon Jul 27 19:23:09 UTC 2015


#33116: do_shortcode('<[shortcode]') doesn't work
--------------------------+--------------------
 Reporter:  Kleor         |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  4.2.4
Component:  Shortcodes    |     Version:  4.2.3
 Severity:  minor         |  Resolution:
 Keywords:  has-patch     |     Focuses:
--------------------------+--------------------

Comment (by knutsp):

 Replying to [comment:4 markjaquith]:
 > Should we support running shortcodes in non-HTML contexts like this?

 I would prefer to call it non-web content/context, as emails and other
 contexts may be HTML, too.

 Is it a real opportunity not to without deprecating `do_shortcode()`?

 Anyway, is shortcodes become very limited, plugin developers will have to
 revert to their own templating system, or clone the shortcode functions
 and removing the strict limitations. This may not enhance safety, if that
 is the concern here.

 I would like Core to offer a safe, standardized and flexible way of
 substituting certain patterns in all kinds of content, but with clearly
 documented (and stable) limitations. This is where shortcodes come in as
 very handy, and hopefully trustworthy.

 It seems the use case in this ticket demonstrates that allowing a < in
 front of the shortcode should be allowed. I don't know, or understand, the
 nature of the vulnerability with the shortcode API i 4.2.3, but I hope the
 above patch doesn't reintroduce something dangerous.

 Another concern may be maintainability. I think that when the shortcode
 API was introduced in such a general way, very liberal, too liberal maybe,
 Core has no choice without steering up a lot of noise and then desperate
 workarounds.

 The shortcode API is just too useful, and too much used now, to put strict
 constrains on, if not absolutely necessary.

 If I don't know what I'm talking about, please ignore.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/33116#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list