Merge pull request #187 from Automattic/fix/escape-non-admin

Fix escaping for non-admin authored posts
Automattic · Feb 12, 2021 · b7b51fa · b7b51fa
2 parents 0c1010b + 84e8797
commit b7b51fa
Showing 1 changed file with 5 additions and 6 deletions.
diff --git a/syntaxhighlighter.php b/syntaxhighlighter.php
@@ -534,13 +534,9 @@ public function render_block( $attributes, $content ) {
 
 		$code = preg_replace( '#<pre [^>]+>([^<]+)?</pre>#', '$1', $content );
 
-		// Escape shortcodes
-		$code = preg_replace('/' . get_shortcode_regex() . '/', '[$0]', $code );
-
 		// Undo escaping done by WordPress
-		$code = str_replace( '&lt;', '<', $code );
-		$code = str_replace( '&amp;', '&', $code );
-		$code = preg_replace(  '/^(\s*https?:)&#47;&#47;([^\s<>"]+\s*)$/m', '$1//$2', $code );
+		$code = htmlspecialchars_decode( $code );
+		$code = preg_replace(  '/^(\s*https?:)&#0?47;&#0?47;([^\s<>"]+\s*)$/m', '$1//$2', $code );
 
 		$code = $this->shortcode_callback( $attributes, $code, 'code' );
 
@@ -1332,6 +1328,9 @@ function shortcode_callback( $atts, $code = '', $tag = false ) {
 
 		$code = ( false === strpos( $code, '<' ) && false === strpos( $code, '>' ) && 2 == $this->get_code_format($post) ) ? strip_tags( $code ) : htmlspecialchars( $code );
 
+		// Escape shortcodes
+		$code = preg_replace( '/\[/', '&#91;', $code );
+
 		$params[] = 'notranslate'; // For Google, see http://otto42.com/9k
 
 		$params = apply_filters( 'syntaxhighlighter_cssclasses', $params ); // Use this to add additional CSS classes / SH parameters