From b2f6e1f6749f6b2cc16b23fb4637eefd58041844 Mon Sep 17 00:00:00 2001 From: Scott Taylor Date: Wed, 18 Jun 2014 19:49:15 +0000 Subject: [PATCH] In `wptexturize()` + tests: * Allow well-formed HTML inside of shortcode attributes * Restrict recursion. HTML is allowed but ignored. * Do not allow exotic HTML comments in shortcode attributes. * Continue to ignore the [ and ] chars if they appear in any HTML attribute. * Update related regex patterns. * Update unit tests. Props miqrogroove. Fixes #28564. Built from https://develop.svn.wordpress.org/trunk@28773 git-svn-id: http://core.svn.wordpress.org/trunk@28586 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/formatting.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index 82205744fe..5006bb183b 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -203,7 +203,11 @@ function wptexturize($text, $reset = false) { . '|' . '\[' // Find start of shortcode. . '\[?' // Shortcodes may begin with [[ - . '[^\[\]<>]+' // Shortcodes do not contain other shortcodes or HTML elements. + . '(?:' + . '[^\[\]<>]' // Shortcodes do not contain other shortcodes. + . '|' + . '<.+?>' // HTML elements permitted. Prevents matching ] before >. + . ')+' . '\]' // Find end of shortcode. . '\]?' // Shortcodes may end with ]] . ')/s'; @@ -220,12 +224,12 @@ function wptexturize($text, $reset = false) { _wptexturize_pushpop_element( $curl, $no_texturize_tags_stack, $no_texturize_tags, '<', '>' ); } - } elseif ( '[' === $first && 1 === preg_match( '/^\[[^\[\]<>]+\]$/', $curl ) ) { + } elseif ( '[' === $first && 1 === preg_match( '/^\[(?:[^\[\]<>]|<.+?>)+\]$/', $curl ) ) { // This is a shortcode delimeter. _wptexturize_pushpop_element( $curl, $no_texturize_shortcodes_stack, $no_texturize_shortcodes, '[', ']' ); - } elseif ( '[' === $first && 1 === preg_match( '/^\[\[?[^\[\]<>]+\]\]?$/', $curl ) ) { + } elseif ( '[' === $first && 1 === preg_match( '/^\[\[?(?:[^\[\]<>]|<.+?>)+\]\]?$/', $curl ) ) { // This is an escaped shortcode delimeter. // Do not texturize.