[wp-trac] [WordPress Trac] #34575: shortcode not working in html comments

WordPress Trac noreply at wordpress.org
Thu Nov 5 21:22:47 UTC 2015


#34575: shortcode not working in html comments
-----------------------------+----------------------
 Reporter:  distinct         |       Owner:
     Type:  feature request  |      Status:  closed
 Priority:  normal           |   Milestone:
Component:  Shortcodes       |     Version:  4.3.1
 Severity:  normal           |  Resolution:  invalid
 Keywords:                   |     Focuses:
-----------------------------+----------------------

Comment (by distinct):

 Hi @aaroncampbell, thank you for your more informed reply. This helps a
 bit to put the changes into context.

 But I still have not found any real details about the actual security
 risk. And I noticed that the link in my OP was actually not the article I
 read :$, but another one I was about to read but forgot about. I actually
 meant this link: https://make.wordpress.org/core/2015/07/23/changes-to-
 the-shortcode-api/
 There Dave Navarro, Jr. mentions he could not find any details later on
 the security risk either at first, but later mentions Gary Pendergast and
 others have explained it to him, without any link to the real problem. I
 would really like to know what the actual security risk is, because I
 think not all sites will have it. (our site has no contributors for
 instance, only a few select authors that can edit content)

 I will read further into the coming shortcode changes. But I fear that
 they might force me to look into another templating engine for this
 feature. Which is a shame, because the shortcode system was working fine
 for the simple functions we needed.

 I do realize that it might be considered misuse of a feature to really use
 it as a templating language. And it is certainly up for some improvements.
 But I hope that the improvements don't have to weaken the power that it
 used to have.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/34575#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list