How to completely prevent WordPress from destroying/modifying my shortcode outputs?

Here I have written a (pretty safe) shortcode for embedding iFrames in WordPress:

add_shortcode( ‘r2o_iframe’, ‘r2o_display_iframe’ );

function r2o_display_iframe($atts) {

ob_start();

$src = $atts[“src”];
$width = intval($atts[“width”]);
$height = intval($atts[“height”]);
$name = htmlentities($atts[“name”]);
$noscrolling = (bool) $atts[“noscrolling”];
$seamless = (bool) $atts[“seamless”];

$allowed_origins = r2o_get_option(SET_PREFIX . ‘iframe_shortcode_allowed_origins’);

$startswith = function($haystack, $needle) {
$length = strlen($needle);
return (substr($haystack, 0, $length) === $needle);
};

// if the src is allowed
if(is_array($allowed_origins)) {
if(filter_var($src,FILTER_VALIDATE_URL)) {
$allowed = false;
foreach($allowed_origins as $origin) {

// if origin is https, convert src to https and compare
if($startswith($origin[“origin”],”https://”)) {
if(!$startswith($src,”https://”)) {
$nsrc = preg_replace(“/^http:/i”, “https:”, $src);
if($startswith($nsrc,$origin[“origin”])) {
$src = $nsrc;
$allowed = true;
break;
}
}
// else allow both
} else {
if($startswith($src,$origin[“origin”]) || $startswith($src,preg_replace(“/^http:/i”, “https:”, $origin[“origin”]))) {
$allowed = true;
break;
}
}
}
if($allowed) { ?>
<iframe frameborder=”0″ src=”<?php echo $src; ?>”
<?php echo ($width > 0) ? ‘width=”‘.$width.'”‘ : ” ?>
<?php echo ($height > 0) ? ‘height=”‘.$height.'”‘ : ” ?>
<?php echo ($name != “”) ? ‘name=”‘.$name.'”‘ : ” ?>
<?php echo ($seamless) ? ‘seamless=”seamless”‘ : ” ?>
<?php echo ($noscrolling) ? ‘scrolling=”no”‘ : ” ?>
></iframe>
<?php

} else {
?><p class=”error”><?php _e(‘An embedded content is missing here (unknown origin).’,’r2ocm’); ?></p><?php
}
} else {
?><p class=”error”><?php _e(‘An embedded content is missing here (origin is not a valid URL).’,’r2ocm’); ?></p><?php
}
} else {
?><p class=”error”><?php _e(‘An embedded content is missing here (allowed origins are not defined).’,’r2ocm’); ?></p><?php
}

return ob_get_clean();
}

The problem: WordPress keeps stripping out the width, height and name attribute from the iFrame. I can not see a single good reason why WordPress applies its text sanitizing functions to shortcode outputs.

Tried to solve it like this:

add_filter( ‘no_texturize_shortcodes’, ‘shortcodes_to_exempt_from_wptexturize’ );
function shortcodes_to_exempt_from_wptexturize( $shortcodes ) {
$shortcodes[] = ‘r2o_iframe’;
return $shortcodes;
}

However still no results. WordPress removes those required attributes. What can I do to prevent this annoying behavior?

Read more here:: How to completely prevent WordPress from destroying/modifying my shortcode outputs?

Leave a Reply

Your email address will not be published. Required fields are marked *