I want to embed WordPress default gallery in comments which has embed code like this:

[gallery link="file" columns="2" size="medium" ids="1,2"]

To do so, I added this code which enables shortcodes in the comments:

add_filter( 'comment_text', 'do_shortcode' )

But someone suggested that is not a secure way to do so. Hence, how should I enable shortcodes in comments the right way or for now I can manage with only gallery shortcode too if there is a way to do that?

I want to embed WordPress default gallery in comments which has embed code like this:

[gallery link="file" columns="2" size="medium" ids="1,2"]

To do so, I added this code which enables shortcodes in the comments:

add_filter( 'comment_text', 'do_shortcode' )

But someone suggested that is not a secure way to do so. Hence, how should I enable shortcodes in comments the right way or for now I can manage with only gallery shortcode too if there is a way to do that?

• shortcode
• gallery
• embed

Share Improve this question edited Apr 16, 2019 at 9:24 cjbj 15k1616 gold badges4242 silver badges8989 bronze badges asked Apr 16, 2019 at 8:25 luckyankitluckyankit 311 bronze badge

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

Indeed, if you allow all kinds of shortcodes to be used in comments, you do not know what effects you get. It might even become a security issue if you have powerful shortcodes installed (perhaps even without knowing it, as a feature you do not use). So, the trick is to selectively allow certain shortcodes. First, let's add a filter to get_comment_text (other than comment_text this will also affect your comments feed).

add_filter ('get_comment_text','wpse334485_filter_shortcodes',10,3);

Now we must make sure that this filter will apply only the gallery filter. That is, we need to strip all shortcodes from the comment except the gallery shortcode. Here we go:

function wpse334485_filter_shortcodes ($comment_text, $comment, $args) {
  $comment_text = strip_shortcodes ($comment_text);
  return do_shortcode ($comment_text);
  }

The above code will strip all shortcodes, so it's not complete. Luckily the strip_shortcodes function has a filter which allows you to influence which tags are removed. Here it is:

add_filter ('strip_shortcodes_tagnames','wpse334485_allow_gallery_shortcode',10,2);
function wpse334485_allow_gallery_shortcode ($tags_to_remove, $comment_text) {
  return array ('[gallery]');
  }

Note that I didn't test this code, so some debugging may be necessary.