Convert escaped shortcode brackets to html chars

Author: michaelw85

src/wp-includes/shortcodes.php

@@ -394,7 +394,7 @@ function do_shortcode_tag( $m ) {
 
 	// Allow [[foo]] syntax for escaping a tag.
 	if ( '[' === $m[1] && ']' === $m[6] ) {
-		return substr( $m[0], 1, -1 );
+		return '[' . substr( $m[0], 2, -2 ) . ']';
 	}
 
 	$tag  = $m[2];
@@ -469,6 +469,7 @@ function do_shortcodes_in_html_tags( $content, $ignore_html, $tagnames ) {
 		']' => ']',
 	);
 	$content = strtr( $content, $trans );
+
 	$trans   = array(
 		'[' => '[',
 		']' => ']',
@@ -543,6 +544,11 @@ function do_shortcodes_in_html_tags( $content, $ignore_html, $tagnames ) {
 				$count    = 0;
 				$new_attr = preg_replace_callback( "/$pattern/", 'do_shortcode_tag', $attr, -1, $count );
 				if ( $count > 0 ) {
+					/**
+					 * Prevent escaped shortcodes to break the attribute reverting html chars back to brackets
+					 */
+					$new_attr = strtr( $new_attr, array( '[' => '[', ']' => ']' ));
+
 					// Sanitize the shortcode output using KSES.
 					$new_attr = wp_kses_one_attr( $new_attr, $elname );
 					if ( '' !== trim( $new_attr ) ) {
@@ -757,7 +763,7 @@ function strip_shortcodes( $content ) {
 function strip_shortcode_tag( $m ) {
 	// Allow [[foo]] syntax for escaping a tag.
 	if ( '[' === $m[1] && ']' === $m[6] ) {
-		return substr( $m[0], 1, -1 );
+		return '[' . substr( $m[0], 2, -2 ) . ']';
 	}
 
 	return $m[1] . $m[6];

tests/phpunit/tests/shortcode.php

@@ -307,17 +307,17 @@ public function test_nested_tags() {
 	 */
 	public function test_tag_escaped() {
 		$out = do_shortcode( '[[footag]] [[bartag foo="bar"]]' );
-		$this->assertSame( '[footag] [bartag foo="bar"]', $out );
+		$this->assertSame( '[footag] [bartag foo="bar"]', $out );
 
 		$out = do_shortcode( '[[footag /]] [[bartag foo="bar" /]]' );
-		$this->assertSame( '[footag /] [bartag foo="bar" /]', $out );
+		$this->assertSame( '[footag /] [bartag foo="bar" /]', $out );
 
 		$out = do_shortcode( '[[baztag foo="bar"]the content[/baztag]]' );
-		$this->assertSame( '[baztag foo="bar"]the content[/baztag]', $out );
+		$this->assertSame( '[baztag foo="bar"]the content[/baztag]', $out );
 
 		// Double escaped.
 		$out = do_shortcode( '[[[footag]]] [[[bartag foo="bar"]]]' );
-		$this->assertSame( '[[footag]] [[bartag foo="bar"]]', $out );
+		$this->assertSame( '[[footag]] [[bartag foo="bar"]]', $out );
 	}
 
 	public function test_tag_not_escaped() {
@@ -443,6 +443,14 @@ public function data_strip_shortcodes() {
 		);
 	}
 
+	/**
+	 * @ticket 26649
+	 */
+	public function test_escaped_shortcode_should_not_execute() {
+		add_shortcode('example', fn () => 'foo');
+		$this->assertSame( '[example]', do_shortcode( strip_shortcodes( '[[example]]' ) ) );
+	}
+
 	/**
 	 * @ticket 37767
 	 */
@@ -575,11 +583,11 @@ public function data_escaping() {
 			),
 			array(
 				'<div [[gallery]]>',
-				'<div [gallery]>',
+				'<div &#091;gallery&#093;>',
 			),
 			array(
 				'<[[gallery]]>',
-				'<[gallery]>',
+				'<&#091;gallery&#093;>',
 			),
 			array(
 				'<div style="selector:url([[gallery]])">',