Strip out unknown shortcodes.

[kwight]

If a shortcode is unknown (can't be expanded by WordPress.com), it should be stripped from the summary and detailed views of a notification (users should never see a shortcode notation, eg. [shortcode]). We've seen cases in both content summaries and post titles.

See: p9zg7s-8-p2 and p5PDj3-4mp-p2.

[kwight]

I've spent some time on this, starting with figuring out how notifications are built, stored, and processed, so I can see where content is manipulated during the lifespan of a note (giving an idea as to how/where best to filter it).

However, from what I can tell, some things are already being stripped from existing the_content filters, but maybe not very well (like contact forms, which are mostly stripped except for a single remaining [contact-form]). Scripts are sort of stripped; the JS is turned into a link (this is the case with Gist shortcodes, and an enduring issue with PollDaddy Rating JS). Keeping some of these could be helpful (the Gist shortcode), while some shouldn't be seen ever (PollDaddy JS).

My next steps are to dig deeper into the existing the_content filters to see if there are simple bug fixes that could be made, or if I can identify where further filtering is needed. It would be good to avoid just slapping another layer of filtering on top of the existing pile if it's not necessary.

[kwight]

The above PollDaddy script issue is being dealt with separately in d9854-code.

There are a few things going on here.

• I can't replicate the original report where the caption shortcode is part of the content; they're being stripped properly at the moment (at least captions are).
• Post titles need to have shortcodes stripped.
• There are ~80 the_content filters active on dotcom, so I'm working through these to see what is and isn't affecting notifications.

[kwight]

Ultimately fixed in r170015-wpcom.

Digging into this brought a few other bugs and issues; see p7jreA-1tB-p2 for details.