The secret is called escaping. You need to place an extra set of square brackets around your shortcode and it will display as . Also, double escaping works too: [gallery] outputs . There is also a Trac ticket on this topic.
Code auto escaping is not working when using short codes
Where is escaped the shortcode?
Well that depends on how you define secure. I assume your embed code is an iframe which means that you are putting something not under your control (that could in theory always change into something malicious) into your site. This isn’t 100% secure itself. That is why esc_html strips that out. The question you have … Read more
site_url() returns with additional backslashes
The answer typically depends on where your translations come from. WordPress core doesn’t usually escape strings such as this, but you may wish to do so in your plugin. A translation might come from an “untrusted” source and could, in theory, contain malicious JavaScript, and escaping would protect you from this. In reality that’s unlikely, … Read more
I’m not sure if this is a bug, but it need further investigation. I’ve run a few quick tests on the name field in a tax_query, and whenever a term name has got a special character or have more than one word, the tax_query is excluded from the SQL query TEST 1 I have use … Read more
Escaping and sanitization
I’m not sure if this is a bug, but it need further investigation. I’ve run a few quick tests on the name field in a tax_query, and whenever a term name has got a special character or have more than one word, the tax_query is excluded from the SQL query TEST 1 I have use … Read more
Woah there. You’ve just opened up a can of SQL injection. I use the default get_query_var(‘s’) that I believe is automatically escaped by wordpress. Not quite – get_search_query() will do that, but get_query_var( ‘s’ ) gets the “raw” value. Regardless, always use wpdb::prepare or similar escaping before executing SQL: $query = $wpdb->prepare( “SELECT * FROM … Read more