I am working on a plugin where the user can define shortcode tags himself. What would you suggest to allow in there? My thought is only allow ascii characters.
So how do I sanitize? strip_tags and then regex to allow only a-z, 0-9 or is there a better solution? Does WordPress have filter for that? Could I maybe use the filter WordPress uses for slugs?
thanks for the answers i will just do this, if there must be one ascii char anyway then i just require three.
foreach ( $shortcodes as $key => $var ) {
$var = preg_replace('/[^a-z0-9_]/', '', $var ); // strip away everything except a-z,0-9 underscore
if ( strlen($var) < 3 )
continue; // if less then 3 chars AFTER the strip don't save
You can use almost every character. Just the character / is dangerous. Do not allow it. WordPress is using preg_quote to escape the shortcode name, but it doesn’t include its own regex delimiter / when doing that. So the shortcode will not be properly escaped and you get a PHP warning.
Besides that, there are just two basic rules for a shortcode name:
- It should be at least two characters long.
- It should contain at least one US-ASCII character (
a-z0-9).
So this works:
foreach ( array ( '.-o', ']b', 'äoß', 'o"o', "o'o", '❤m' ) as $shortcode )
{
add_shortcode( $shortcode, 't5_crazy_shortcode_handler' );
}
function t5_crazy_shortcode_handler( $attrs = array(), $content = NULL, $shortcode )
{
return "<pre>\$shortcode: $shortcode\n\n\$attrs\n"
. htmlspecialchars( print_r( $attrs, TRUE ) )
. "\n\n\$content"
. htmlspecialchars( print_r( $content, TRUE ) )
. '</pre>';
}
