In wptexturize() + tests:

* Allow well-formed HTML inside of shortcode attributes * Restrict recursion. HTML is allowed but ignored. * Do not allow exotic HTML comments in shortcode attributes. * Continue to ignore the [ and ] chars if they appear in any HTML attribute. * Update related regex patterns. * Update unit tests. Props miqrogroove. Fixes #28564. git-svn-id: https://develop.svn.wordpress.org/trunk@28773 602fd350-edb4-49c9-b593-d223f7449a82
2014-06-18 19:48:46 +00:00 · 2014-06-18 19:48:46 +00:00 · 0688f9eb49
commit 0688f9eb49
parent 6719d08d2d
2 changed files with 13 additions and 5 deletions
--- a/src/wp-includes/formatting.php
+++ b/src/wp-includes/formatting.php
@ -203,7 +203,11 @@ function wptexturize($text, $reset = false) {
 		. '|'
 		.	'\['		// Find start of shortcode.
 		.	'\[?'		// Shortcodes may begin with [[
-		.	'[^\[\]<>]+'	// Shortcodes do not contain other shortcodes or HTML elements.
+		.	'(?:'
+		.		'[^\[\]<>]'	// Shortcodes do not contain other shortcodes.
+		.	'|'
+		.		'<.+?>' // HTML elements permitted. Prevents matching ] before >.
+		.	')+'
 		.	'\]'		// Find end of shortcode.
 		.	'\]?'		// Shortcodes may end with ]]
 		. ')/s';
@ -220,12 +224,12 @@ function wptexturize($text, $reset = false) {
 				_wptexturize_pushpop_element( $curl, $no_texturize_tags_stack, $no_texturize_tags, '<', '>' );
 			}

-		} elseif ( '[' === $first && 1 === preg_match( '/^\[[^\[\]<>]+\]$/', $curl ) ) {
+		} elseif ( '[' === $first && 1 === preg_match( '/^\[(?:[^\[\]<>]|<.+?>)+\]$/', $curl ) ) {
 			// This is a shortcode delimeter.

 			_wptexturize_pushpop_element( $curl, $no_texturize_shortcodes_stack, $no_texturize_shortcodes, '[', ']' );

-		} elseif ( '[' === $first && 1 === preg_match( '/^\[\[?[^\[\]<>]+\]\]?$/', $curl ) ) {
+		} elseif ( '[' === $first && 1 === preg_match( '/^\[\[?(?:[^\[\]<>]|<.+?>)+\]\]?$/', $curl ) ) {
 			// This is an escaped shortcode delimeter.

 			// Do not texturize.
--- a/tests/phpunit/tests/formatting/WPTexturize.php
+++ b/tests/phpunit/tests/formatting/WPTexturize.php
@ -1145,6 +1145,10 @@ class Tests_Formatting_WPTexturize extends WP_UnitTestCase {

 	function data_tag_avoidance() {
 		return array(
+			array(
+				'[ is it wise to <a title="allow user content ] here? hmm"> maybe </a> ]',
+				'[ is it wise to <a title="allow user content ] here? hmm"> maybe </a> ]',
+			),
 			array(
 				'[ photos by <a href="http://example.com/?a[]=1&a[]=2"> this guy </a> ]',
 				'[ photos by <a href="http://example.com/?a[]=1&#038;a[]=2"> this guy </a> ]',
@ -1194,8 +1198,8 @@ class Tests_Formatting_WPTexturize extends WP_UnitTestCase {
 				'[gallery &#8230;',
 			),
 			array(
+				'[gallery <br ... /> ...]', // This tag is still valid. Shortcode 'attributes' are not considered in the initial parsing of shortcodes, and HTML is allowed.
 				'[gallery <br ... /> ...]',
-				'[gallery <br ... /> &#8230;]',
 			),
 			array(
 				'<br [gallery ...] ... />',
@ -1234,8 +1238,8 @@ class Tests_Formatting_WPTexturize extends WP_UnitTestCase {
 				'[/gallery ...]]',
 			),
 			array(
+				'[[gallery <br ... /> ...]]', // This gets parsed as an escaped shortcode with embedded HTML.  Brains may explode.
 				'[[gallery <br ... /> ...]]',
-				'[[gallery <br ... /> &#8230;]]',
 			),
 			array(
 				'<br [[gallery ...]] ... />',