[wp-trac] [WordPress Trac] #26649: escaped shortcodes should not be expanded during 'get_the_excerpt'

Fri Feb 6 09:08:04 UTC 2026

#26649: escaped shortcodes should not be expanded during 'get_the_excerpt'
-------------------------------------------------+-------------------------
 Reporter:  bobbingwide                          |       Owner:  (none)
     Type:  defect (bug)                         |      Status:  reopened
 Priority:  normal                               |   Milestone:  7.0
Component:  Shortcodes                           |     Version:  3.7.1
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch good-first-bug has-unit-   |     Focuses:
  tests early                                    |
-------------------------------------------------+-------------------------
Changes (by huzaifaalmesbah):

 * keywords:  has-patch good-first-bug has-unit-tests early needs-testing =>
     has-patch good-first-bug has-unit-tests early

Comment:

 == Patch Testing Report

 Patch Tested: https://github.com/WordPress/wordpress-develop/pull/8231

 === Environment
 - WordPress: 7.0-alpha-61215-src
 - PHP: 8.2.29
 - Server: nginx/1.29.4
 - Database: mysqli (Server: 8.4.7 / Client: mysqlnd 8.2.29)
 - Browser: Chrome 144.0.0.0
 - OS: macOS
 - Theme: Twenty Twenty-Five 1.4
 - MU Plugins:
   * Reproduce Issue 26649 1.0
 - Plugins:
   * Test Reports 1.2.1

 === Steps taken
 1. Created an MU plugin to reproduce the issue.
 2. The plugin registers a shortcode `[test_shortcode_26649]` that expands
 to "SHORTCODE EXPANDED".
 3. The plugin simulates content processing where
 `[[test_shortcode_26649]]` is passed to `strip_shortcodes` and then
 `the_content` filter.
 4. Without the patch, `strip_shortcodes` returns `[test_shortcode_26649]`,
 which `the_content` then expands.
 5. With the patch, `strip_shortcodes` returns
 `[test_shortcode_26649]`, preventing expansion.
 6. ✅ Patch is solving the problem.

 === Expected result
 - We expect the escaped shortcode `[[test_shortcode_26649]]` to be
 displayed as `[test_shortcode_26649]` (or its HTML entity equivalent) in
 the exempt/content, and NOT be expanded to "SHORTCODE EXPANDED".

 === Additional Notes
 - The patch modifies `strip_shortcode_tag` to return HTML entities for
 brackets, effectively neutralizing specific shortcode tags while
 preserving their visual representation.

 === Screenshots/Screencast with results
 This video demonstrates the issue before the patch and the resolution
 after applying the patch: https://files.catbox.moe/7yvtq4.mp4

 === Support Content
 #### MU Plugin Code

 {{{
 /**
  * Plugin Name: Reproduce Issue 26649
  * Description: Reproduces the issue where escaped shortcodes are expanded
 in get_the_excerpt.
  * Version: 1.0
  */

 // 1. Register a test shortcode
 add_shortcode( 'test_shortcode_26649', function() {
     return 'SHORTCODE EXPANDED';
 } );

 // 2. Add an admin notice to display the test result
 add_action( 'admin_notices', function() {
     $content = 'Testing escaped shortcode: [[test_shortcode_26649]]';

     // Simulate the flow that causes the issue:
     // 1. strip_shortcodes is called (e.g. by wp_trim_excerpt)
     // 2. the_content filter is applied (which runs do_shortcode)

     $stripped = strip_shortcodes( $content );

     // We ensure 'do_shortcode' is hooked (default behavior)
     $output = apply_filters( 'the_content', $stripped );

     // Check if the shortcode was expanded
     $failed = strpos( $output, 'SHORTCODE EXPANDED' ) !== false;

     $color = $failed ? 'red' : 'green';
     $message = $failed ? 'FAILED: Shortcode was expanded!' : 'PASSED:
 Shortcode was NOT expanded.';

     echo '<div class="notice notice-info is-dismissible">';
     echo '<h3>Ticket 26649 Reproduction</h3>';
     echo '<p><strong>Input:</strong> ' . htmlspecialchars( $content ) .
 '</p>';
     echo '<p><strong>After strip_shortcodes:</strong> ' .
 htmlspecialchars( $stripped ) . '</p>';
     echo '<p><strong>Final Output (after the_content filter):</strong> ' .
 htmlspecialchars( $output ) . '</p>';
     echo '<p style="color: ' . $color . '; font-weight: bold;">' .
 $message . '</p>';
     if ( $failed ) {
         echo '<p><em>The bug triggers because
 <code>strip_shortcodes</code> turns <code>[[...]]</code> into
 <code>[...]</code>, which is then caught by <code>do_shortcode</code> in
 <code>the_content</code> filter.</em></p>';
     }
     echo '</div>';
 } );

 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/26649#comment:34>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform