The Shortcode API states that you can't have square brackets in your attribute. Thus, the following would not work:
[tag attribute="[Some value]"]
In my case, the square bracket is required. What would be the best solution of getting around this problem? I've already tried escaping the content in my shortcode function, but had no luck.
I am using WordPress 3.3.1.
Use some other special character in your shortcode and replace it square brackets in your shortcode function. - Since this is not what you want, here's an alternative.
This seems to be the only thing that I can think of that will work in your case, instead of relying on the Shortcode API, you can use "apply_filters" on the content, and then use preg_replace to write your own shortcode processing function.
If the brackets appear as part of the HTML generated try to use &#...; or as part of an URL use %... .
Otherwise, if it concerns your own shortcode, just replace some other character, e.g. {} by [], inside the code of the shortcode.
If it's not your own shortcode, you might modify the plugin / core. I'd write a wrapper code in order not to break updates.
We store json in shortcode attributes. We decided to use base64_encode to hide square brackets, but we faced some problems:
Themecheck complains about base64 functions
When you want to make some replace in database, for e.g. to replace all old site urls with new site url, the regex can't see what's inside a base64 encoded string
There is another solution, using htmlentities
function encode($str) {
$str = htmlentities($str, ENT_QUOTES, 'UTF-8');
// http://www.degraeve.com/reference/specialcharacters.php
$special = array(
'[' => '[',
']' => ']',
);
$str = str_replace(array_keys($special), array_values($special), $str);
return $str;
}
function decode($str) {
return html_entity_decode($str, ENT_QUOTES, 'UTF-8');
}
$original = '[1,2,3,"&",{a:1,b:2,"c":"Результат"}]';
$encoded = encode($original);
$decoded = decode($encoded);
echo "Original:\t", $original, PHP_EOL;
echo "Shortcode:\t", '[hi abc="'. $encoded .'"]', PHP_EOL;
echo "Decoded:\t", $decoded, PHP_EOL;
echo "Equal:\t\t", ($original === $decoded) ? 'YES' : 'NO';
Output
Original: [1,2,3,"&",{a:1,b:2,"c":"Результат"}]
Shortcode: [hi abc="[1,2,3,"&",{a:1,b:2,"c":"Результат"}]"]
Decoded: [1,2,3,"&",{a:1,b:2,"c":"Результат"}]
Equal: YES
http://ideone.com/fNiOkD
Related
I have posts with slugs with special characters. One of them is the following:
http://localhost/wp-json/wp/v2/posts?slug=my-post!
Unfortunately, WP REST API not showing the content since it has (!) within the slug.
Is there any solution you guys would recommend?
I have found the solution (at least for my case), not sure if it'll work for you but may indicate you the way to go. We need to tap into the function used to sanitize the slugs, as I said in my comment, by default is wp_parse_slug_list. Looking at the code the function that actually sanitizes the slug is sanitize_title.
Looking at the source code, wp_parse_slug_list calls sanitize_title with only one argument, which means that the context used is save. This means that, for posts that were already saved without being sanitized by this function, the slug won't match and the post will be inaccessible through the API. The solution is to change the sanitizing function slightly by adding a filter:
add_filter('rest_post_collection_params', function($query_params) {
$query_params['slug']['sanitize_callback'] = 'sanitize_rest_api_slug';
return $query_params;
}, 20, 1);
function sanitize_rest_api_slug( $list ) {
if ( ! is_array( $list ) ) {
$list = preg_split( '/[\s,]+/', $list );
}
foreach ( $list as $key => $value ) {
$list[ $key ] = sanitize_title( $value, '', 'query' );
}
return array_unique( $list );
}
The filter is actually being applied on the function get_collection_params() on the class-wp-rest-posts-controller class, but if you look at the source code, the filter has a variable depending on the post_type, so if you have another special kind of posts defined (besides post) you need to add/change a filter for that kind as well.
I hope this helps somebody else like me, even if it's too late for your issue.
Can Wordpress shortcodes have attributes without values like this?
[foo some_att]
I know it can be like this:
[foo some_att=""]
Can I have shortcode values like this (with curly braces)?
[foo path="{'quality': '720p', 'mp4': 'PATH_TO_MP4_VIDEO'}"]
You sure can! RichJenks has a short yet informative article on implementing this functionality, which boils down to defining a new function that can tell you if a flag (argument with no associated value) is present in your $atts array:
function is_flag( $flag, $atts ) {
foreach ( $atts as $key => $value )
if ( $value === $flag && is_int( $key ) ) return true;
return false;
}
After defining this function, you can reference is_flag() in your shortcode function to tell if the flag has been provided as part of the shortcode invocation:
if is_flag( 'some_att', $atts )
// flag is present
else
// flag is not present
Unfortunately, the example you've provided wouldn't work as an argument value with the Wordpress shortcode parser. According to the official Wordpress documentation on the Shortcode API:
Attribute values must never contain the following characters:
Square braces: [ ]
Quotes: " '
Since your example makes use of the single-quote character ('), it is officially unsupported by the shortcode parsing engine.
You can use this for first question.
is_int( array_search( 'some_att', $atts ?: [] ) )
Can anyone explain why I would use __() over esc_html_e()?
__() is primarily for simple text that doesn't contain markup that needs to be escaped. It differs from _e() in that the former returns the translated text while the latter echoes the translated text.
esc_html_e() and esc_html__() are similar, but they are used for strings that do contain markup. They each escape the provided string, and then call on their corresponding _e() or __() counterparts depending on which one you use.
Escaping HTML is necessary if you're accepting strings provided from user input. XSS attacks are probably the most common types of attacks on sites that accept user input and render it on the page. An attacker can easily provide <script> tags and execute arbitrary Javascript on your page if the input is not properly cleaned or escaped.
Just like the docs state, esc_html_e() retrieves a translated string, escapes it, and echoes the result. __() returns a translated string. The source for each of these functions makes this crystal clear:
function __( $text, $domain = 'default' ) {
return translate( $text, $domain );
}
function esc_html_e( $text, $domain = 'default' ) {
echo esc_html( translate( $text, $domain ) );
}
As for the purpose of esc_html_e(), as I understand it, is to prevent weird characters from translated strings (not the original ones you see in the code).
But _e() is just for translating, without any escape.
It is simple Devs. If you want to echoes or print the translated string,you can use esc_html_e & if you don't want to print that translated string & only want to return its value, you can use __().
You can take reference from esc_html_e & __() for more info.
I'm using the WP function: get_the_author_meta('user_url');
When I echo that to the browser it automatically prepends 'http://' to the URL. How can I avoid this, so that my URLs show exactly as they are entered on the user settings page.
Thanks is advance.
$author_url = get_the_author_meta('user_url'); // e.g. http://www.example.com
$to_remove = array( 'http://', 'https://' );
foreach ( $to_remove as $item ) {
$author_url = str_replace($item, '', $author_url); // to: www.example.com
}
echo $author_url; // now it will not have the http:// part you wish to avoid.
str_replace is probably the most efficient way of doing this.
$author_url = str_replace(array( 'http://', 'https://' ), '', get_the_author_meta('user_url'));
Other URL modification techniques.
For more complicated string replacements which match you could look at using preg_replace .
There is a function called http-build-url() which is included in the php_http.dll extension which might be more suitable for some use cases.
I was coding a simple metabox for wordpress and have a little issue when saving data.
The meta box is in my "create article"-page has two textfields. These are saved as post-meta, when the post is saved.
While saving I check if the fields were filled - if they are empty I take the post title and extract the data I need. The idea is to take everything that is before the first "-". If there is no minus sign, the whole title should be saved in my custom field. Now, this fails to find "-" in the title (alltough there is one) and returns the whole title every time:
function get_from_title($title) {
$pos = strpos($title, '-');
if ($pos) {
return trim(substr($title, $pos));
}
else {
$pos = strpos($title, '–'); //added this since two different signs could be used
if ($pos) {
return trim(substr($title, $pos));
}
else {
return $title;
}
}
}
the function that is calling get_from_title is getting the title via get_the_title( $post_id ) and this works without problems.
Is wordpress encoding the title somehow? Why can't strpos find the minus sign? What should I look for instead?
Thanks
I replied to the thread you started on this topic in the WordPress forums. You can find your answer there.
Alternatively, here's what I said. :)
Ah yes. This is a tricky one. So, why can't strpos find a hyphen in
the title when clearly we can see one? Because there isn't one. hehe.
What WordPress is doing here is converting your hyphen ( minus sign )
into an en-dash.
This will give you diddly-squat:
$pos = strpos( $title, '-' );
You want this:
$pos = strpos( $title, '–' );
Let me know how things turned out for you. :)