In `wptexturize()` + tests:

* Allow well-formed HTML inside of shortcode attributes * Restrict recursion. HTML is allowed but ignored. * Do not allow exotic HTML comments in shortcode attributes. * Continue to ignore the [ and ] chars if they appear in any HTML attribute. * Update related regex patterns. * Update unit tests. Props miqrogroove. Fixes #28564. Built from https://develop.svn.wordpress.org/trunk@28773 git-svn-id: http://core.svn.wordpress.org/trunk@28586 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-06-18 19:49:15 +00:00 · 2014-06-18 19:49:15 +00:00 · b2f6e1f674
parent 5bd180bcbd
commit b2f6e1f674
1 changed files with 7 additions and 3 deletions
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@ -203,7 +203,11 @@ function wptexturize($text, $reset = false) {
 		. '|'
 		.	'\['		// Find start of shortcode.
 		.	'\[?'		// Shortcodes may begin with [[
-		.	'[^\[\]<>]+'	// Shortcodes do not contain other shortcodes or HTML elements.
+		.	'(?:'
+		.		'[^\[\]<>]'	// Shortcodes do not contain other shortcodes.
+		.	'|'
+		.		'<.+?>' // HTML elements permitted. Prevents matching ] before >.
+		.	')+'
 		.	'\]'		// Find end of shortcode.
 		.	'\]?'		// Shortcodes may end with ]]
 		. ')/s';
@ -220,12 +224,12 @@ function wptexturize($text, $reset = false) {
 				_wptexturize_pushpop_element( $curl, $no_texturize_tags_stack, $no_texturize_tags, '<', '>' );
 			}

-		} elseif ( '[' === $first && 1 === preg_match( '/^\[[^\[\]<>]+\]$/', $curl ) ) {
+		} elseif ( '[' === $first && 1 === preg_match( '/^\[(?:[^\[\]<>]|<.+?>)+\]$/', $curl ) ) {
 			// This is a shortcode delimeter.

 			_wptexturize_pushpop_element( $curl, $no_texturize_shortcodes_stack, $no_texturize_shortcodes, '[', ']' );

-		} elseif ( '[' === $first && 1 === preg_match( '/^\[\[?[^\[\]<>]+\]\]?$/', $curl ) ) {
+		} elseif ( '[' === $first && 1 === preg_match( '/^\[\[?(?:[^\[\]<>]|<.+?>)+\]\]?$/', $curl ) ) {
 			// This is an escaped shortcode delimeter.

 			// Do not texturize.