Shortcode Escaping Doesn't Work in Most Situations

[miqrogroove]

Introduced in [18952] was the possibility to escape [shortcode] as [[shortcode]]. Unfortunately, there are several problems with this feature:

• Escaping only works for registered shortcodes.
• Escaping was never made compatible with wptexturize.
• Most shortcode features never escape user input. (#15694)

Test cases:

["Hello world"] should output [“Hello world”]

[[example]] should output [example]

[caption caption="hello [ world"] input is invalid.

[jdgrimes]

Related: #12760, #25820, #26649.

[aaroncampbell]

Let me take the issues in order:

Escaping only works for registered shortcodes.
I don't think we need to worry about this at all. Shortcodes that aren't registered aren't shortcodes as far as I'm concerned.

Escaping was never made compatible with wptexturize
I'm not totally sure what you mean by this, but in my testing what I'm seeing (and what I'm therefore assuming you mean) is that text inside a possible shortcode isn't being texturized. So basically, you'd expect the same output from these:
[[video src="https://www.youtube.com/watch?v=1gVApvC20KQ"]]
[video src="https://www.youtube.com/watch?v=1gVApvC20KQ"]
But in reality the latter gets curly quotes on the attribute and the former doesn't. I'm really not sure how I feel about this one, but my first reaction is that this is actually good behavior. It seems to me that the reason for being able to escape a shortcode is mostly to allow someone to display an example of how to enter that shortcode, and I actually think curly quotes don't belong in that.

Most shortcode features never escape user input.
For this one, are there things besides square brackets that aren't getting escaped and are causing problems? I do see that a [ or ] in a shortcode attribute will break things, but I think #15694 can be used to continue addressing that.

[jdgrimes]

Replying to aaroncampbell:

Escaping only works for registered shortcodes.
I don't think we need to worry about this at all. Shortcodes that aren't registered aren't shortcodes as far as I'm concerned.

I think what brought me here originally was a scenario in which I wanted to display shortcode examples. The plugin that provides those shortcodes wasn't installed, but I was planning to possibly install it in the future. I wanted to avoid those examples being actually executed by the plugin if I installed it later. I thought I would escape them, but I couldn't. I decided to fix the issue by registering fake shortcodes (add_shortcode( 'shortcode', '__return_empty_string' )). That way I could use the shortcode escaping, in case I install that plugin in the future.

[aaroncampbell]

Replying to jdgrimes:

I think what brought me here originally was a scenario in which I wanted to display shortcode examples. The plugin that provides those shortcodes wasn't installed, but I was planning to possibly install it in the future. I wanted to avoid those examples being actually executed by the plugin if I installed it later. I thought I would escape them, but I couldn't.

A) I think that's definitely an edge-case
B) You can fix it as you did, or you can use HTML entities for the brackets like I did [ becomes [ and ] becomes ]

[aaroncampbell]

There seems to be no traction on this, and I feel like escaping is working as expected in two of the three cases, with the third already being dealt with in other tickets (and not really being specifically related to escaping)