[wp-trac] [WordPress Trac] #33116: do_shortcode('<[shortcode]') doesn't work

WordPress Trac noreply at wordpress.org
Fri Jul 31 16:27:43 UTC 2015 

#33116: do_shortcode('<[shortcode]') doesn't work
--------------------------+--------------------------
 Reporter:  Kleor         |       Owner:  miqrogroove
     Type:  defect (bug)  |      Status:  reopened
 Priority:  normal        |   Milestone:  4.2.4
Component:  Shortcodes    |     Version:  4.2.3
 Severity:  minor         |  Resolution:
 Keywords:  has-patch     |     Focuses:
--------------------------+--------------------------

Comment (by Kleor):

 If the patch done by miqrogroove doesn't reintroduce something dangerous,
 is there any good reason to remove it in a future version of WordPress?

 do_shortcode is actually fast, even if it's not as fast as str_replace.
 Plugins/themes developers can prefer to use the Shortcode API because it's
 more flexible than a basic string replacement, and they need some features
 of this API. In the same way, a WordPress site is not as fast as a
 completely static website, but it doesn't mean that it's bad to build a
 website with WordPress.

 Instead of adding limitations that affected a lot of websites, plugins and
 themes in 4.2.3, I suggest an other way to fix the security issues with
 shortcodes:

 {{{
 function add_shortcode($tag, $func, $capability = 'manage_options') {
         global $shortcode_tags;

         if ( is_callable($func) )
                 $shortcode_tags[$tag] = array('function' => $func,
 'capability' => $capability);
 }


 function disable_shortcodes_when_editing_post($data) {
         global $shortcode_tags;

         if (function_exists('user_can')) {
         foreach ($shortcode_tags as $tag => $value) {
                 if (!user_can($data['post_author'], $value['capability']))
 {
                         foreach (array('post_content',
 'post_content_filtered', 'post_excerpt', 'post_title') as $key) {
                         $data[$key] = str_replace(array('['.$tag,
 $tag.']'), array('['.$tag, $tag.']'), $data[$key]); }
                 }
         }
         }

         return $data;
 }

 add_filter('wp_insert_post_data', 'disable_shortcodes_when_editing_post',
 10, 1);
 }}}

 If it's important to not affect the $shortcode_tags variable:

 {{{
 $shortcode_tags = array();
 $shortcode_capabilities = array();


 function add_shortcode($tag, $func, $capability = 'manage_options') {
         global $shortcode_tags, $shortcode_capabilities;

         if ( is_callable($func) ) {
                 $shortcode_tags[$tag] = $func;
                 $shortcode_capabilities[$tag] = $capability;
         }
 }


 function disable_shortcodes_when_editing_post($data) {
         global $shortcode_capabilities;

         if (function_exists('user_can')) {
         foreach ($shortcode_capabilities as $tag => $capability) {
                 if (!user_can($data['post_author'], $capability)) {
                         foreach (array('post_content',
 'post_content_filtered', 'post_excerpt', 'post_title') as $key) {
                         $data[$key] = str_replace(array('['.$tag,
 $tag.']'), array('['.$tag, $tag.']'), $data[$key]); }
                 }
         }
         }

         return $data;
 }

 add_filter('wp_insert_post_data', 'disable_shortcodes_when_editing_post',
 10, 1);
 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/33116#comment:25>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list