Why does WP strip backslashes from shortcode attributes?

  • If I have a shortcode attribute with the value “Rusty’s ebay_RSS /\ preset”, wordpress will strip the backslash when parsing the shortcode attributes, giving “Rusty’s ebay_RSS / preset” as the attribute value.

    Looking at shortcode_parse_atts, I see it is running stripcslashes on the attribute values. I just wondered why this was, and if there is any documentation on this behaviour?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator bcworkz

    (@bcworkz)

    I don’t really know, I’m guessing that shortcodes are intended to be used by authors, who aren’t entirely trusted. So it is a security measure to avoid injection attacks. It also prevents magic quote headaches from creeping in. I’m guessing because I haven’t seen any documentation. I haven’t really looked either, so it may still exist.

    You should be able to get what you want by using double backslash:
    RSS /\\ preset should yield RSS /\ preset

    Thread Starter djeyewater

    (@djeyewater)

    Thanks for the reply. I can’t see how stripping backslashes would prevent injection attacks. My own opinion is that if you don’t trust a user, then you shouldn’t be allowing them to write for your blog. After all, users can write (not quite) whatever HTML they want anyway. SQL injection should be (and is) prevented at the db update level, not shortcode parsing. Shortcode attributes may never even reach the db anyway (they don’t in my plugin).

    I would understand it if a backslash was just used as a general escape character in shortcodes, e.g. so you could escape a shortcode attribute that contains a quote mark in it like title="Adrian \"The Conqueror\" Gray" but that doesn’t actually work.

    Escaping the backslash does work, as you say, and I can put a note for users in my plugin to this effect. But since this effects all shortcodes, I would have thought there should be some official wordpress documentation about it? As it is, every single plugin author that uses shortcodes would need to put a note in their plugin about this behaviour if they wanted to avoid the potential problem of users confused about this.

    Moderator bcworkz

    (@bcworkz)

    You make several valid points. I obviously didn’t think my answer through, considering we are talking specifically of shortcodes. I actually only have a vague general idea on how one might even mount an injection attack.

    I agree with you about trusting authors, but there are levels of trust. I trust my authors, but I would never give them admin privileges. I have in fact created an uber author group for some of my more trusted authors that gives them a few editor privileges. Not that any are malevolent, just that some are more prone to stupid mistakes.

    While the Codex has a lot of great information, it still is sorely lacking in many areas. It doesn’t surprise me if there is nothing about this. I suspect only a few think this is an important issue tbh. I’m fairly sure the community would be pleased if someone were to research the reasoning behind this and publish a nice explanation. Hint. Hint. ??

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Why does WP strip backslashes from shortcode attributes?’ is closed to new replies.