7 Comments

  1. Sam R

    Fantastic news and long overdue, very excited about this!

    Report

  2. Vitor Madeira

    This is fantastic. Finally, “pure” WordPress is starting to become really useful.

    Report

  3. Richard

    Finally! Well, better late than never.

    Report

  4. JB

    Oops! Security!

    This article sounds like this will allow visitors to execute shortcodes that were previously restricted to authors (by using known shortcodes in comments, e-mail forms and other places with a user facing text widget).

    Not counting the sites that run the current shortcodes-in-text-widgets plugin (who hopefully know what they are doing), that’s a huge increase in the attack surface on wordpress sites and blogs.

    For example if some extension provides a shortcode for running a traceroute back from the server to the visitors webbrowser, and the wordpress admin has avoided any related exploits by simply telling the handful of trusted authors to never use that shortcode (but still use some other cool feature of the same extension). Then allowing comments to invoke that shortcode could provide an instant way to pawn the blog and even the entire server (because many systems require traceroute to be run as root).

    Feels like a major code review will be needed before upgrading any site to 4.9.

    Report

  5. Matt

    Interesting message they’re sending with this release:

    Gutenberg Team – “Blocks are the future! Stop using shortcodes where possible and start porting your Shortcodes to Blocks today.”

    WP Core Team – “Great new feature – Expanded Shortcode Support in core Widgets!”

    Report

  6. David

    Great news. I am a big fan of WordPress.
    I will update all my blogs soon to see how it works

    Report

Comments are closed.

%d bloggers like this: