WordPress v6.2.1 Breaks the Shortcode Block in Templates

Great it solved the problem for you too @alpineer ??

I must confess I have myself the same question and fears as you…
I have trouble to understand if using it in a template part solves the security issue or if it had not been seen and they will break it in the next update.

I really hope this is a stable way or that they will find quickly a stable one because short codes in full site editing template are quite common use, it is an essential feature I think.

good luck indeed to us all ‘^^ ??

I have the same problem and this solution doesn’t help at all.

I’m using a shortcode to display the breadcrumb navigation of the Rank Math SEO plugin.

Yes this is major headache. Can someone explain what the security issue is allowing shortcodes in templates?

Ideally templates should only be edited by admins, I fail to see where the security issue is.

This is a very unhelpful change (to put it mildly!)

I understand it’s a security risk, but the explanation of that is no help either…

‘Block themes parsing shortcodes in user generated data;’

What does that tell anyone? Surely shortcodes are supposed to be parsed in user data? Where else are they going to be parsed?

So the summary appears to be that using shortcodes in a post or page is fine. But somehow, using them in a template is not.

This just doesn’t make sense as both can be easily edited by users. In fact I would say that pretty much seems to be the whole point of block templates.

Very poor communication of a site-breaking problem.

@gyurmey try this ??

Go where you added your short code block, select it , click and you will have the menu options ( copy, duplicate, insert, lock, etc… ) you will find create Template part
you will be asked the name of your templePart. Then it will include the short code block into the template part block ( which will be in purple color ). save all

It worked for me ?? perhaps you will have to purge your wordpress and browser caches

Got the same problem.

We are using template with shortcode blocks to rollout identical Layouts into all sites of a multisite.
This breaking of functionality should not happen in a release that auto-install over night.

@timbearcub,
Smart Slider 3 will be fixed soon. We will use the following filter without using shortcode in the future:

/**
* Filters the content of a single block.
*
* The dynamic portion of the hook name, $name, refers to
* the block name, e.g. "core/paragraph".
*
* @since 5.7.0
* @since 5.9.0 The $instance parameter was added.
*
* @param string   $block_content The block content.
* @param array    $block         The full block, including name and attributes.
* @param WP_Block $instance      The block instance.
*/
$block_content = apply_filters( "render_block_{$this->name}", $block_content, $this->parsed_block, $this );

Thank you @ipstenu, I’ve done that.

I’d be grateful if someone could please point me towards the security risk documentation / ticket so that I might discover a compromise that allows the block to function securely.

Oliver

I am also shocked, and appalled actually, that this was somehow “removed by design”. Who is making these decisions? Have we totally thrown all sense of backwards compatibility to the wayside. How are things being managed in such a hypocritical way where we are holding on to support for old versions of WordPress by patching them but then in the same breath removing functionality?

@domainsupport Don’t expect a security answer in seconds. They tend to wait until there’s been a solid roll out to explain details, and in that way minimize damage.

I personally have only a theoretical knowledge of the issue, so I can’t help out there.

Balancing security is a hard job. They must have felt this was a severe enough situation to justify the removal. And, in their defence, it’s 2023, and using shortcodes in the modern block-templates maybe should have been disallowed from the start, since Full Site Editing is the way to go. But at the same time, shortcodes have a place and not all can be (easily) converted into blocks.

I wish I had better answers here ??

How is this supposed to help security?

You can make blocks that act like shortcodes, you can even make a block that runs shortcode like this:

register_block_type(
    'temp/shortcode',
    [
        'render_callback' => function ($attributes, $content) {
            return do_shortcode($content);
        },
    ]
);

Then to use it I’d just do:

    <!-- wp:temp/shortcode -->
    [myfancy-shortcode]
    <!-- /wp:temp/shortcode -->

• This reply was modified 1 year, 5 months ago by ciantic.

Thanks @rubin-sev for your suggestion. It worked for me as well!

Same here, different short codes, including custom ones not part of plugins. All broken in a block theme with 6.2.1

I am so glad I found this thread. I have been trying to figure out what I did wrong for hours, lol. Thanks for the workaround @rubin-sev, worked for me too! Hope they fix this soon.

@alpineer Sounds like you’ve worked it out, but in this case, all I did to roll back my site was to replace the WordPress v6.2.1 install with a copy of the v6.2 install. The only files/directories I left in place was wp-content (which should be where all custom content ends up), and wp-config.php (which is the configuration file for the site). I did this via FTP, but it could be done with a host service’s file manager as well.

This method might not work for a more significant update, especially one that changes the database. For that, you’d need to have a backup to work from.

• This reply was modified 1 year, 5 months ago by rbrunskill.