WordPress 4.2.3 broke my code

So where do we go from here? Will there be an update to the plugin to restore some functionality?

1. Security updates have not stopped from WordPress’s end. I don’t know who “Dave Navarro, Jr.” is, but he’s not one of the 4.2.3 WordPress core contributors.

2. There is not a bug in do_shortcode introduced by this release. This release was a deliberate, very long term fix to a severe security concern. The shortcode API update was planned, and is permanent.

3. Old WordPress versions are at risk to what is now a partially publically disclosed security issue. Back converting makes your site immediately at risk. Disabling automatic updates makes your site insecure.

4. The very few plugins (a handful out of over 40,000+ distributed plugins) affected will need to update the usage of their shortcodes to comply with the updated Shortcode API. The people whose sites are broken are currently employing shortcodes in a way it was never designed nor intended to be used. https://make.www.ads-software.com/core/2015/07/23/changes-to-the-shortcode-api/

5. There indeed wasn’t a heads up to plugin authors. As discussed on the make post, there wasn’t an opportunity to do so without putting websites at risk.

> I bet half of wordpress sites have to be rewritten now.
Far less than 1% of 1% of 1%.

David, your claim that WordPress updates have been halted is in error. They’re still running. Your post was deleted.

Please don’t made statements like that. They cause unneeded panic.

OK, I just pushed a plugin update that includes an option to apply a temporary patch for WP 4.2.3. This is really a “band-aid” solution, I’m afraid, but as far as I’ve tested, it reverts previous behavior of shortcodes inside HTML attributes.

After updating the plugin, the front page of the documentation (Settings -> Custom Content) will show a link to apply the patch. Simply, the patch comments out line 209 in wp-includes/shortcodes.php. There is also an option to remove the patch.

It might not work depending on server’s file permissions. Also, importantly, it bypasses the so-called security patch, so technically HTML attributes could be vulnerable – however slim the chance.

I want to emphasize, it’s only a temporary measure just to get sites functioning again.

Do not apply the patch that Eliot is recommending. That is not the solution and entirely kills the point of the security release by making your site vulnerable again.

It’s unfortunate that issues have arisen from this but intentionally making your site vulnerable again is far worse.

Pippin is entirely correct, and I do not recommend the patch. It is only provided as a temporary measure until a real solution is found. It’s 4 a.m. and I had to do something quick to get sites at least functioning. So, at least for now, it’s a choice between broken site(s) or a security vulnerability. ??

Understood, Pippin, but I hope that’s not why the plugin was just pulled from the repository. It seems to me that not allowing the update would be a better reaction since the plugin still works just fine. In fact, I was coming back to update Eliot on how I’ve resolved most of my issues so far, just by adjusting my code. Almost seems like a moot point now? Not sure how to take this at all…

A slightly broken site is better than one vulnerable to a critical security issue. Reverting sites re-introduces that security flaw.

The temp solution is to rework how those aspects of the site works. As unfortunate and frustrating as that is, it is the better solution.

Ah, I see I was typing at the same time as you, Eliot… Let me know if you still want details of my progress…

for *5 YEARS* this was a potential issue.
and now, it has been necessary to push it within 30 hours?

Are you reading your own posts? Are you really ready to backup this?

sorry, but this is not serious.

@thatguy334233 don’t be so quick to make assumptions. Because it was a security fix, there were countless hours behind the scenes spent working on it that no one ever publicly saw.

I truly appreciate all the hard work that was given to fix the security issue with shortcodes in WordPress. That said, I want to say a few things about what transpired today and about Eliot the developer.

Eliot seems to have been caught off guard with this WP update. Was there anything at all communicated out to the developer community, especially those who utilize shortcodes in their plugins, about what was coming? We (his plugin users) came to this forum today in a panic asking for Eliot’s assistance when SOME or ALL of our content broke on our websites after the WP update was applied. I’m sure all day long he was going crazy trying to figure out a way to make the plugin work again. I know I was stressed out of my mind that I had custom content links not working on critical pages of my website and had people emailing me asking why links didn’t work and how they could get to the content which happened to be created using custom fields so there was not a work around to give them the information at that time. I would have given anything to be able to roll back the update so I could have time to come up with a solution before installing it again.

Eliot is customer service personified. He doesn’t like knowing that someone is having a problem with their website and the problem happens to stem from the use of his plugin. Anytime that I have ever had an issue or question related to his Custom Content Shortcode plugin, he has replied to my forum post within a few hours of me posting my query. If my post asked about adding a feature or to fix a problem with the plugin, he updated the plugin within an hour or two of my request. IMHO, Eliot is THE BEST & FASTEST plugin developer I have ever had the pleasure of dealing with since I started using WordPress for my websites. You don’t find many developers with his work ethic willing to do this much work for so many people for FREE.

He is a people pleaser to a fault and made a poor decision today releasing his plugin update to help his users get their websites fixed. Please don’t kick Eliot out of the WordPress Developers Club. He needs to learn patience when problems like this occur and to seek assistance from fellow developers and faithful plugin users like the ones here on this forum page to help him come up with a solution. It would be a big loss to the WordPress community to not let him continue his work. He’s deserves a second chance to redeem himself.

What say you?

> Was there anything at all communicated out to the developer community, especially those who utilize shortcodes in their plugins, about what was coming?

No, doing so would have put websites at risk. That said, the security team spent a very long time looking at plugins to make sure we weren’t breaking anything WordPress supported. For over 99.99% of WordPress plugins, this change doesn’t affect them negatively in any way.

> I would have given anything to be able to roll back the update so I could have time to come up with a solution before installing it again.

The reason this is not permitted is two fold. First off, that completely negates the purpose of a security update that blocked what is now a partially disclosed security vulnerability. Second, because of the first comment, that would have made every user of his plugin a big target (since bad people would know to look to his users to find targets).

> Please don’t kick Eliot out of the WordPress Developers Club.
No one is kicking him out. The plugin was temporarily removed so that the change could be reverted, and so the plugin team has an opportunity to discuss with him why it was taken down in the first place, to ensure that the rules that are in place to protect WordPress, its community and its users are upheld. Its more like a “timeout” if you will than anything else.

I’m sure the plugin team will be in touch with him as soon as they get some time. They’ve got a lot on their plate today ??

Hi jjgleim,

You are so right! Eliot is a not only truly gifted, but also very consumer/customer/user focused developer who replies always immediately and finds a solution whenever I ask him anything related to his awsome Custom Content Shortcode plugin!

Unfortunately the Custom Content Shortcode plugin has now been removed by beloved WP…

A temporary fix is to comment out line 209 in wp-includes/shortcodes.php, from:

$content = do_shortcodes_in_html_tags( $content, $ignore_html );

..to..

// $content = do_shortcodes_in_html_tags( $content, $ignore_html );

Another option is to revert back to WordPress version 4.2.2. ??

Happy days!!!

Again see the previous comments on why that is a terrible idea. Doing so makes your sites completely vulnerable to attack