[dengeral]

Hi @admin,

To be sure we are on the same page, here is our experience:

I am using an administrator role on a single-site WP 6.0.2, so the unfiltered_html capability is normally allowed. And we were using shortcoder before without issue. That’s the upgrade to version 6, which has raised the issue, and my awareness that there is a code and a text editor. For existing shortcodes before upgrade, the content is messed up as soon as we open them, so indeed, that’s at opening time that the content is changed, and only if the code editor is the editor of the shortcode. My actual workaround is to update the _sc_editor metadata in the database to text for those.

We don’t use any special security related plugin, and I have checked our plugin list, tried to deactive some that I thought could be suspicious, like Classic Editor or HTML Editor Syntax Highlighter, and I still experience the same issue. Other plugins are really unrelated since they are frontend only.

When you say that version 6 filter dangerous HTML for users without unfiltered_html capability, does that include escaping ampersands ? In the hypothesis we are suffering from that, there is still a loop issue in such a prevention filter if it escapes & into & at each opening of the shortcode.

I am sorry to not have better clues. Let me know if I can help further.

[dengeral]

Hi Aakash,

I can confirm the above report. When using the code editor, there an issue with html entities encoding. Here is how it goes:

Hello to you & the "World" is your initial input
Hello to you & the "World&quote; is what you get after saving
Hello to you & the "World&quote; is what you get after update

Using the text editor is my current workaround.
Before version 6.0, the code editor was looking like the text editor for us, and we had never care about it. I don’t know if it’s related, but we use the Classic editor plugin for other posts, in order to not have a visual editor.

Hope this helps.

[Author]

Posts