I need to make some very generic shortcodes that call get_posts(). Is there any consequence (security or other) of just doing:
add_shortcode('posts', function($atts = []){
$posts = get_posts($atts);
// do stuff
});
I guess the correct way would be to pass $atts through shortcode_atts(), but I don’t want to have to always be aware of WordPress modifying get_posts in the future.
After doing some research the data passed into get_posts() is sanitized (I think I knew that), but the drawback is that you give the users the ability to just list a million posts, which can be a drain on resources I guess. So some sanitation is necessary - maybe limit numberposts etc.
Basically the intent was to create a shortcode that lets users drop in their own dynamic templates straight from the editor, something like:
[posts category_name="News"]
<h2>[title]</h2>
[content]
[/posts]
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.