I have been trying to figure out how to escape quotes (single and double) from shortcode attributes.
Basically the content is written by the user and therefore can potentially include ” and ‘ quotes. Problem being, with ” quotes it is stopping the shortcode attribute from functioning eg:
attibute=”some text here with “quotes” so it stops the attribute….”
So instead of getting the entire string it is stopping at the second pair of quotes.
Now, I know it could be possible to set it up with single quotes but that leaves the same predicament if a user uses single quotes in the text.
I have looked at a variety of PHP/WP resolutions but I cant seem to get any of them to work, eg esc_html, htmlspecialchars, htmlentities.
Maybe I have set it up wrong or am not actioning the encoding at the right place.
This is currently what I am using (without encoding) as the shortcode (shortened a bit)
function aps_person_schema_shortcode( $atts, $content = null) {
extract( shortcode_atts( array(
'aps_person_description' => ''
), $atts
)
);
$aps_person_return = '<div class="aps_person_container aps_container">';
$aps_person_return .= '<p class="aps_person_description" itemprop="description">' . $aps_person_description . '</p>';
$aps_person_return .= '</div>';
return $aps_person_return;
}
add_shortcode('aps_person', 'aps_person_schema_shortcode');
I’ve tried adding in after the extract array things like
$aps_person_description = esc_html($atts['aps_person_description']);
but as the attribute is already broken (print_r displays that the string after the quote is separated into an array item for each word) escaping the string there doesnt work.
Tried it before the array and it doesn’t work either I get a Notice: Undefined index
So, to clarify, how do you go about sanitizing user input for shortcode attribute data?
3 s
It seems you are working on the wrong end.
Try sanitizing the user input, for instance by means of sanitize_text_field, not the shortcode output.