[wp-trac] [WordPress Trac] #55996: the get_the_block_template_html call all the same functions as the the_conent filter so they are run twice

WordPress Trac noreply at wordpress.org
Mon May 22 18:22:55 UTC 2023 

#55996: the get_the_block_template_html call all the same functions as the
the_conent filter so they are run twice
-------------------------------------------------+-------------------------
 Reporter:  pbearne                              |       Owner:  flixos90
     Type:  defect (bug)                         |      Status:  assigned
 Priority:  normal                               |   Milestone:  6.3
Component:  Formatting                           |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch has-unit-tests needs-      |     Focuses:
  testing changes-requested                      |  performance
-------------------------------------------------+-------------------------

Comment (by miyarakira):

 In WP 6.2.1, the call to `do_shortcode` inside
 `get_the_block_template_html` was [https://github.com/WordPress/wordpress-
 develop/commit/1cbfa03510f8dfd37a8d050b2640aa7ae1fb2ce6 removed] to
 address a security vulnerability ([https://www.wordfence.com/threat-
 intel/vulnerabilities/wordpress-core/wordpress-core-621-shortcode-
 execution-in-user-generated-content?asset_slug=wordpress Shortcode
 Execution in User Generated Content]). This caused issues for numerous
 users, as described in the ticket #58333.

 In response, in WP 6.2.2, the call to `do_shortcode` was
 [https://github.com/WordPress/wordpress-
 develop/commit/c25e29ce9bcc03b1c3fc66a7b870f2ddbf37708b reinstated], but
 moved to *before* `do_blocks`. (Some users are still reporting issues
 because this changes behavior in subtle ways.)

 In `wp-includes/block-template.php`:

 {{{#!php
 <?php
 $content = shortcode_unautop( $content );
 $content = do_shortcode( $content );
 $content = do_blocks( $content );
 $content = wptexturize( $content );
 $content = convert_smilies( $content );
 }}}


 In `wp-includes/blocks/template-part.php`:


 {{{#!php
 <?php
 $content = shortcode_unautop( $content );
 $content = do_shortcode( $content );
 ..
 $content = do_blocks( $content );
 ..
 $content = wptexturize( $content );
 $content = convert_smilies( $content );
 }}}


 Apparently putting `do_shortcode` before `do_blocks` maintains the
 security fix while supporting shortcodes in block templates. In the above
 mentioned ticket, I asked what this implies for `the_content` and
 `widget_block_content` filters, which apply `do_blocks` *then*
 `do_shortcode`.

 In `wp-includes/default-filters.php`:

 {{{#!php
 <?php
 add_filter( 'the_content', 'do_blocks', 9 );
 add_filter( 'the_content', 'wptexturize' );
 add_filter( 'the_content', 'convert_smilies', 20 );
 add_filter( 'the_content', 'shortcode_unautop' );
 add_filter( 'the_content', 'do_shortcode', 11 );
 ..
 add_filter( 'widget_block_content', 'do_blocks', 9 );
 add_filter( 'widget_block_content', 'do_shortcode', 11 );
 }}}

 And I also mentioned the Post Content block, which applies `the_content`
 filter and can have nested Post Content blocks. However, the question
 received no response.

 All this is related to the issue described in this ticket, where similar
 sets of content filters are being applied in multiple places, sometimes
 repeatedly on the same content. In WP 6.2.2, this is further complicated
 by an inconsistent order of filters. As a block author, I have certain
 blocks whose content should not be modified in any way - but currently,
 it's '''impossible to opt-out of these filters'''.

 These content filters are causing other related issues, because they can
 corrupt block content in unexpected ways.

 - [https://github.com/WordPress/gutenberg/issues/43053 Query block with
 shortcode breaks get_the_ID or get_post]
 - [https://github.com/WordPress/gutenberg/issues/37754
 no_texturize_shortcodes WP filter broken with block themes]
 - [https://github.com/WordPress/gutenberg/issues/33813 Single quotes are
 rewritten as quotes in HTML block and Shortcode blocks]
 - [https://github.com/WordPress/gutenberg/issues/42345 Single quotes in
 content following bold text get curled the wrong way]
 - [https://github.com/WordPress/gutenberg/issues/49357 Shortcode escaping
 with double square brackets does not work anymore in FSE themes]

 What's clear from these is that functions like `wptexturize` and
 `do_shortcode` are woefully inadequate and unsuitable for processing an
 entire page of HTML including block content. They should only be
 '''applied selectively to certain parts of the page''', where it makes
 sense to do so.

 A proper solution to this is not simple, because it involves restructuring
 the above duplicated and inconsistent code for applying content filters,
 and designing a more sophisticated logic that allows for certain blocks to
 opt out of them, as well as preventing the filters from being applied
 multiple times to the same content.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/55996#comment:36>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list