Jetpack Shortcodes: Prevent hooking onto pre_kses in front-end

[dilirity]

Fixes HOG-132

pre_kses runs everywhere. However, shortcodes have code that "preserves" content (mostly embeds) by transforming it into a shortcode string. This code is necessary only when the post content is updated/added. It's not necessary in the front-end.

This PR adds a check to conditionally allow hooking onto pre_kses. To avoid calling the is_frontend of Request many times, I created a helper function with a static variable. I thought it's preferable to calling is_frontend every time a shortcode hooks onto pre_kses.

It also updates the is_frontend method to allow not sending the Vary header. I didn't want to cause side-effects from just checking if we're in the front-end multiple times throughout Jetpack.

Proposed changes:

• Update shortcode "preserve" functionality, to not be hooked onto pre_kses for front-end requests;
• Update Request::is_frontend method to allow not sending the Vary header;
• Fix variable type in PHPdoc.

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

HOG-132

Does this pull request change what data or activity we track or use?

no

Testing instructions:

• Make sure the Shortcode embeds module in Jetpack is enabled:

• The easies way to test this is to pick a shortcode and take the example code from the top of the file and use it to make sure the code works.
• Let's take archiveorg-book.php for example:

<iframe src="https://www.archive.org/stream/goodytwoshoes00newyiala?ui=embed#mode/1up" width="480px" height="430px" frameborder="0" ></iframe>

• On your test website, create a user with the Contributor role.
• Create a post and paste this into the content field. When you submit the post for review, the iframe should get transformed into a shortcode like this:

[archiveorg id=goodytwoshoes00newyiala width=480 height=430]

• That means that the "preserve" functionality is working.
• You can test this with other shortcodes, but the idea remains the same.
• Other than this, make sure there are no fatal errors

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack or WordPress.com Site Helper), and enable the update/jetpack/modules/shortcodes/conditionally-hook-on-pre-kses branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack update/jetpack/modules/shortcodes/conditionally-hook-on-pre-kses

bin/jetpack-downloader test jetpack-mu-wpcom-plugin update/jetpack/modules/shortcodes/conditionally-hook-on-pre-kses

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add a "[Type]" label (Bug, Enhancement, Janitorial, Task).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

---

Jetpack plugin:

The Jetpack plugin has different release cadences depending on the platform:

• WordPress.com Simple releases happen as soon as you deploy your changes after merging this PR (PCYsg-Jjm-p2).
• WoA releases happen weekly.
• Releases to self-hosted sites happen monthly:
  • Scheduled release: August 5, 2025
  • Code freeze: August 4, 2025

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

[jp-launch-control]

Code Coverage Summary

Coverage changed in 20 files. Only the first 5 are listed here.

File	Coverage	Δ%	Δ Uncovered
projects/plugins/jetpack/modules/shortcodes/class.filter-embedded-html-objects.php	0/140 (0.00%)	-37.41%	53 💔
projects/plugins/jetpack/modules/shortcodes/dailymotion.php	97/178 (54.49%)	-3.70%	7 💔
projects/plugins/jetpack/modules/shortcodes/archiveorg-book.php	23/54 (42.59%)	-4.58%	3 ❤️‍🩹
projects/plugins/jetpack/modules/shortcodes/archiveorg.php	29/71 (40.85%)	-3.44%	3 ❤️‍🩹
projects/plugins/jetpack/modules/shortcodes/crowdsignal.php	305/443 (68.85%)	-0.61%	3 ❤️‍🩹

1 file is newly checked for coverage.

File	Coverage
projects/plugins/jetpack/modules/shortcodes/shortcode-utils.php	5/6 (83.33%) 💚

Full summary · PHP report · JS report

_{Coverage check overridden by I don't care about code coverage for this PR Use this label to ignore the check for insufficient code coveage. .}

[kraftbj]

I didn't specifically test the code, but it reads well.

I left some comments on 188368-ghe-Automattic/wpcom to denote how to prepare WP.com for this (and after that, I believe the tests on this PR would pass).

Marking request changes since it needs the wp.com work done before merging, so will give a final approval after wp.com is prepared and those tests pass.

[kraftbj]

Additionally, please add tests for the new function to ensure that it is true in a frontend condition and that the filter is not added in a frontend condition.

At least, add tests for the new function and get coverage good for the new file. Bonus for increasing the coverage in an existing file.

[kraftbj]

Alright, some legit wp.com test failures (at least needing more investigation). Un-approving :)