*
* @since 2.5.0
*
- * @uses $shortcode_tags
+ * @global array $shortcode_tags
*
- * @param string $tag Shortcode tag to be searched in post content.
+ * @param string $tag Shortcode tag to be searched in post content.
* @param callable $func Hook to run when shortcode is found.
*/
function add_shortcode($tag, $func) {
global $shortcode_tags;
- if ( is_callable($func) )
- $shortcode_tags[$tag] = $func;
+ if ( '' == trim( $tag ) ) {
+ $message = __( 'Invalid shortcode name: Empty name given.' );
+ _doing_it_wrong( __FUNCTION__, $message, '4.4.0' );
+ return;
+ }
+
+ if ( 0 !== preg_match( '@[<>&/\[\]\x00-\x20=]@', $tag ) ) {
+ /* translators: 1: shortcode name, 2: space separated list of reserved characters */
+ $message = sprintf( __( 'Invalid shortcode name: %1$s. Do not use spaces or reserved characters: %2$s' ), $tag, '& / < > [ ] =' );
+ _doing_it_wrong( __FUNCTION__, $message, '4.4.0' );
+ return;
+ }
+
+ $shortcode_tags[ $tag ] = $func;
}
/**
*
* @since 2.5.0
*
- * @uses $shortcode_tags
+ * @global array $shortcode_tags
*
* @param string $tag Shortcode tag to remove hook for.
*/
*
* @since 2.5.0
*
- * @uses $shortcode_tags
+ * @global array $shortcode_tags
*/
function remove_all_shortcodes() {
global $shortcode_tags;
}
if ( shortcode_exists( $tag ) ) {
- preg_match_all( '/' . get_shortcode_regex() . '/s', $content, $matches, PREG_SET_ORDER );
+ preg_match_all( '/' . get_shortcode_regex() . '/', $content, $matches, PREG_SET_ORDER );
if ( empty( $matches ) )
return false;
* @global array $shortcode_tags List of shortcode tags and their callback hooks.
*
* @param string $content Content to search for shortcodes.
+ * @param bool $ignore_html When true, shortcodes inside HTML elements will be skipped.
* @return string Content with shortcodes filtered out.
*/
-function do_shortcode($content) {
+function do_shortcode( $content, $ignore_html = false ) {
global $shortcode_tags;
if ( false === strpos( $content, '[' ) ) {
if (empty($shortcode_tags) || !is_array($shortcode_tags))
return $content;
- $pattern = get_shortcode_regex();
- return preg_replace_callback( "/$pattern/s", 'do_shortcode_tag', $content );
+ // Find all registered tag names in $content.
+ preg_match_all( '@\[([^<>&/\[\]\x00-\x20=]++)@', $content, $matches );
+ $tagnames = array_intersect( array_keys( $shortcode_tags ), $matches[1] );
+
+ if ( empty( $tagnames ) ) {
+ return $content;
+ }
+
+ $content = do_shortcodes_in_html_tags( $content, $ignore_html, $tagnames );
+
+ $pattern = get_shortcode_regex( $tagnames );
+ $content = preg_replace_callback( "/$pattern/", 'do_shortcode_tag', $content );
+
+ // Always restore square braces so we don't break things like <!--[if IE ]>
+ $content = unescape_invalid_shortcodes( $content );
+
+ return $content;
}
/**
*
* @since 2.5.0
*
- * @uses $shortcode_tags
+ * @global array $shortcode_tags
*
+ * @param array $tagnames List of shortcodes to find. Optional. Defaults to all registered shortcodes.
* @return string The shortcode search regular expression
*/
-function get_shortcode_regex() {
+function get_shortcode_regex( $tagnames = null ) {
global $shortcode_tags;
- $tagnames = array_keys($shortcode_tags);
+
+ if ( empty( $tagnames ) ) {
+ $tagnames = array_keys( $shortcode_tags );
+ }
$tagregexp = join( '|', array_map('preg_quote', $tagnames) );
// WARNING! Do not change this regex without changing do_shortcode_tag() and strip_shortcode_tag()
*
* @since 2.5.0
* @access private
- * @uses $shortcode_tags
+ *
+ * @global array $shortcode_tags
*
* @param array $m Regular expression match array
- * @return mixed False on failure.
+ * @return string|false False on failure.
*/
function do_shortcode_tag( $m ) {
global $shortcode_tags;
$tag = $m[2];
$attr = shortcode_parse_atts( $m[3] );
+ if ( ! is_callable( $shortcode_tags[ $tag ] ) ) {
+ /* translators: %s: shortcode tag */
+ $message = sprintf( __( 'Attempting to parse a shortcode without a valid callback: %s' ), $tag );
+ _doing_it_wrong( __FUNCTION__, $message, '4.3.0' );
+ return $m[0];
+ }
+
if ( isset( $m[5] ) ) {
// enclosing tag - extra parameter
return $m[1] . call_user_func( $shortcode_tags[$tag], $attr, $m[5], $tag ) . $m[6];
}
}
+/**
+ * Search only inside HTML elements for shortcodes and process them.
+ *
+ * Any [ or ] characters remaining inside elements will be HTML encoded
+ * to prevent interference with shortcodes that are outside the elements.
+ * Assumes $content processed by KSES already. Users with unfiltered_html
+ * capability may get unexpected output if angle braces are nested in tags.
+ *
+ * @since 4.2.3
+ *
+ * @param string $content Content to search for shortcodes
+ * @param bool $ignore_html When true, all square braces inside elements will be encoded.
+ * @param array $tagnames List of shortcodes to find.
+ * @return string Content with shortcodes filtered out.
+ */
+function do_shortcodes_in_html_tags( $content, $ignore_html, $tagnames ) {
+ // Normalize entities in unfiltered HTML before adding placeholders.
+ $trans = array( '[' => '[', ']' => ']' );
+ $content = strtr( $content, $trans );
+ $trans = array( '[' => '[', ']' => ']' );
+
+ $pattern = get_shortcode_regex( $tagnames );
+ $textarr = wp_html_split( $content );
+
+ foreach ( $textarr as &$element ) {
+ if ( '' == $element || '<' !== $element[0] ) {
+ continue;
+ }
+
+ $noopen = false === strpos( $element, '[' );
+ $noclose = false === strpos( $element, ']' );
+ if ( $noopen || $noclose ) {
+ // This element does not contain shortcodes.
+ if ( $noopen xor $noclose ) {
+ // Need to encode stray [ or ] chars.
+ $element = strtr( $element, $trans );
+ }
+ continue;
+ }
+
+ if ( $ignore_html || '<!--' === substr( $element, 0, 4 ) || '<![CDATA[' === substr( $element, 0, 9 ) ) {
+ // Encode all [ and ] chars.
+ $element = strtr( $element, $trans );
+ continue;
+ }
+
+ $attributes = wp_kses_attr_parse( $element );
+ if ( false === $attributes ) {
+ // Some plugins are doing things like [name] <[email]>.
+ if ( 1 === preg_match( '%^<\s*\[\[?[^\[\]]+\]%', $element ) ) {
+ $element = preg_replace_callback( "/$pattern/", 'do_shortcode_tag', $element );
+ }
+
+ // Looks like we found some crazy unfiltered HTML. Skipping it for sanity.
+ $element = strtr( $element, $trans );
+ continue;
+ }
+
+ // Get element name
+ $front = array_shift( $attributes );
+ $back = array_pop( $attributes );
+ $matches = array();
+ preg_match('%[a-zA-Z0-9]+%', $front, $matches);
+ $elname = $matches[0];
+
+ // Look for shortcodes in each attribute separately.
+ foreach ( $attributes as &$attr ) {
+ $open = strpos( $attr, '[' );
+ $close = strpos( $attr, ']' );
+ if ( false === $open || false === $close ) {
+ continue; // Go to next attribute. Square braces will be escaped at end of loop.
+ }
+ $double = strpos( $attr, '"' );
+ $single = strpos( $attr, "'" );
+ if ( ( false === $single || $open < $single ) && ( false === $double || $open < $double ) ) {
+ // $attr like '[shortcode]' or 'name = [shortcode]' implies unfiltered_html.
+ // In this specific situation we assume KSES did not run because the input
+ // was written by an administrator, so we should avoid changing the output
+ // and we do not need to run KSES here.
+ $attr = preg_replace_callback( "/$pattern/", 'do_shortcode_tag', $attr );
+ } else {
+ // $attr like 'name = "[shortcode]"' or "name = '[shortcode]'"
+ // We do not know if $content was unfiltered. Assume KSES ran before shortcodes.
+ $count = 0;
+ $new_attr = preg_replace_callback( "/$pattern/", 'do_shortcode_tag', $attr, -1, $count );
+ if ( $count > 0 ) {
+ // Sanitize the shortcode output using KSES.
+ $new_attr = wp_kses_one_attr( $new_attr, $elname );
+ if ( '' !== trim( $new_attr ) ) {
+ // The shortcode is safe to use now.
+ $attr = $new_attr;
+ }
+ }
+ }
+ }
+ $element = $front . implode( '', $attributes ) . $back;
+
+ // Now encode any remaining [ or ] chars.
+ $element = strtr( $element, $trans );
+ }
+
+ $content = implode( '', $textarr );
+
+ return $content;
+}
+
+/**
+ * Remove placeholders added by do_shortcodes_in_html_tags().
+ *
+ * @since 4.2.3
+ *
+ * @param string $content Content to search for placeholders.
+ * @return string Content with placeholders removed.
+ */
+function unescape_invalid_shortcodes( $content ) {
+ // Clean up entire string, avoids re-parsing HTML.
+ $trans = array( '[' => '[', ']' => ']' );
+ $content = strtr( $content, $trans );
+
+ return $content;
+}
+
+/**
+ * Retrieve the shortcode attributes regex.
+ *
+ * @since 4.4.0
+ *
+ * @return string The shortcode attribute regular expression
+ */
+function get_shortcode_atts_regex() {
+ return '/([\w-]+)\s*=\s*"([^"]*)"(?:\s|$)|([\w-]+)\s*=\s*\'([^\']*)\'(?:\s|$)|([\w-]+)\s*=\s*([^\s\'"]+)(?:\s|$)|"([^"]*)"(?:\s|$)|(\S+)(?:\s|$)/';
+}
+
/**
* Retrieve all attributes from the shortcodes tag.
*
* @since 2.5.0
*
* @param string $text
- * @return array List of attributes and their value.
+ * @return array|string List of attribute values.
+ * Returns empty array if trim( $text ) == '""'.
+ * Returns empty string if trim( $text ) == ''.
+ * All other matches are checked for not empty().
*/
function shortcode_parse_atts($text) {
$atts = array();
- $pattern = '/(\w+)\s*=\s*"([^"]*)"(?:\s|$)|(\w+)\s*=\s*\'([^\']*)\'(?:\s|$)|(\w+)\s*=\s*([^\s\'"]+)(?:\s|$)|"([^"]*)"(?:\s|$)|(\S+)(?:\s|$)/';
+ $pattern = get_shortcode_atts_regex();
$text = preg_replace("/[\x{00a0}\x{200b}]+/u", " ", $text);
if ( preg_match_all($pattern, $text, $match, PREG_SET_ORDER) ) {
foreach ($match as $m) {
elseif (isset($m[8]))
$atts[] = stripcslashes($m[8]);
}
+
+ // Reject any unclosed HTML elements
+ foreach( $atts as &$value ) {
+ if ( false !== strpos( $value, '<' ) ) {
+ if ( 1 !== preg_match( '/^[^<]*+(?:<[^>]*+>[^<]*+)*+$/', $value ) ) {
+ $value = '';
+ }
+ }
+ }
} else {
$atts = ltrim($text);
}
*
* @since 2.5.0
*
- * @param array $pairs Entire list of supported attributes and their defaults.
- * @param array $atts User defined attributes in shortcode tag.
+ * @param array $pairs Entire list of supported attributes and their defaults.
+ * @param array $atts User defined attributes in shortcode tag.
* @param string $shortcode Optional. The name of the shortcode, provided for context to enable filtering
* @return array Combined and filtered attribute list.
*/
function shortcode_atts( $pairs, $atts, $shortcode = '' ) {
$atts = (array)$atts;
$out = array();
- foreach($pairs as $name => $default) {
+ foreach ($pairs as $name => $default) {
if ( array_key_exists($name, $atts) )
$out[$name] = $atts[$name];
else
* The third parameter, $shortcode, is the name of the shortcode.
*
* @since 3.6.0
+ * @since 4.4.0 Added the `$shortcode` parameter.
*
- * @param array $out The output array of shortcode attributes.
- * @param array $pairs The supported attributes and their defaults.
- * @param array $atts The user defined shortcode attributes.
+ * @param array $out The output array of shortcode attributes.
+ * @param array $pairs The supported attributes and their defaults.
+ * @param array $atts The user defined shortcode attributes.
+ * @param string $shortcode The shortcode name.
*/
- if ( $shortcode )
- $out = apply_filters( "shortcode_atts_{$shortcode}", $out, $pairs, $atts );
+ if ( $shortcode ) {
+ $out = apply_filters( "shortcode_atts_{$shortcode}", $out, $pairs, $atts, $shortcode );
+ }
return $out;
}
*
* @since 2.5.0
*
- * @uses $shortcode_tags
+ * @global array $shortcode_tags
*
* @param string $content Content to remove shortcode tags.
* @return string Content without shortcode tags.
if (empty($shortcode_tags) || !is_array($shortcode_tags))
return $content;
- $pattern = get_shortcode_regex();
+ // Find all registered tag names in $content.
+ preg_match_all( '@\[([^<>&/\[\]\x00-\x20=]++)@', $content, $matches );
+ $tagnames = array_intersect( array_keys( $shortcode_tags ), $matches[1] );
- return preg_replace_callback( "/$pattern/s", 'strip_shortcode_tag', $content );
+ if ( empty( $tagnames ) ) {
+ return $content;
+ }
+
+ $content = do_shortcodes_in_html_tags( $content, true, $tagnames );
+
+ $pattern = get_shortcode_regex( $tagnames );
+ $content = preg_replace_callback( "/$pattern/", 'strip_shortcode_tag', $content );
+
+ // Always restore square braces so we don't break things like <!--[if IE ]>
+ $content = unescape_invalid_shortcodes( $content );
+
+ return $content;
}
+/**
+ * Strips a shortcode tag based on RegEx matches against post content.
+ *
+ * @since 3.3.0
+ *
+ * @param array $m RegEx matches against post content.
+ * @return string|false The content stripped of the tag, otherwise false.
+ */
function strip_shortcode_tag( $m ) {
// allow [[foo]] syntax for escaping a tag
if ( $m[1] == '[' && $m[6] == ']' ) {