dmsnell
commented
6 years ago Can we do better than this?
It's extremely difficult unless we build a manual list of how to treat each unexpected shortcode. Sadly this is a consequence of the fact that shortcodes come in multiple varieties. Some decorate the text contained on the inside. The time shortcode is a good example because the inner text is save and there's no reason not to just display it. Others contain sensitive information as a kind of admin-view vs. a public view. Those are really bad to expose.
How hard would it be to just start building a whitelist? We could run over common shortcodes we anticipate and then start tracking ones we come across which w don't expect. A little bit of manual review and we should be able to make some reasoned decisions about how to handle it. Maybe we can't produce the intended output but we can make a distinction between "show plain text," "hide text," and "show placeholder"
Can we do better than this?.. maybe in situations like this it's better to fall back to generic text, but at the same time, maybe we shouldn't be trying to figure out what the user intends in situation like this.