fix: Multi-layer protection against Twig rendering recursion

- Added render depth tracking in Plugin::render() with max depth of 5
- Strip shortcodes from content when in shortcode context
- Prevents any later do_shortcode() calls from triggering recursion

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

CHANGELOG.md

@@ -7,6 +7,42 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.4.5] - 2026-02-02
+
+### Fixed
+
+- **Multi-layer recursion protection** - Added additional safeguards against infinite Twig rendering
+  - Added render depth tracking in `Plugin::render()` with max depth of 5
+  - Strip shortcodes from content when in shortcode context (prevents any later `do_shortcode()` calls from triggering recursion)
+  - This addresses the Twig StagingExtension.php recursion error
+
+## [0.4.4] - 2026-02-02
+
+### Fixed
+
+- **Fix excerpt-triggered recursion** - `get_the_excerpt()` internally calls `the_content` filter when generating auto-excerpts
+  - When in shortcode context, now uses raw `$post->post_excerpt` or generates simple excerpt with `wp_trim_words()` instead
+  - This was the remaining recursion path causing memory exhaustion in `class-wp-hook.php`
+
+## [0.4.3] - 2026-02-02
+
+### Fixed
+
+- **Further memory leak fix** - v0.4.2 fix was still incomplete
+  - Changed `$in_shortcode_context` boolean to `$shortcode_context_depth` counter to properly handle nested shortcodes
+  - Added shortcode context protection to `template-wrapper.php` for single page views
+  - This fixes the remaining recursion path where `the_content` filter was still being applied when viewing single FediStream posts (artists, albums, tracks, playlists)
+
+## [0.4.2] - 2026-02-02
+
+### Fixed
+
+- **Complete fix for memory leak** - v0.4.1 fix was incomplete
+  - Added `$in_shortcode_context` flag to TemplateLoader to track when we're rendering shortcodes
+  - All shortcode render methods now call `enter_shortcode_context()` before loading data
+  - When in shortcode context, `the_content` filter is always skipped to prevent recursive shortcode processing
+  - This prevents infinite recursion when post content contains FediStream shortcodes
+
 ## [0.4.1] - 2026-02-02
 
 ### Fixed
@@ -207,7 +243,11 @@ Initial release of WP FediStream - a WordPress plugin for streaming music over A
 
 ---
 
-[Unreleased]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.1...HEAD
+[Unreleased]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.5...HEAD
+[0.4.5]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.4...v0.4.5
+[0.4.4]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.3...v0.4.4
+[0.4.3]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.2...v0.4.3
+[0.4.2]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.1...v0.4.2
 [0.4.1]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.4.0...v0.4.1
 [0.4.0]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.3.0...v0.4.0
 [0.3.0]: https://src.bundespruefstelle.ch/magdev/wp-fedistream/compare/v0.2.0...v0.3.0

includes/Frontend/Shortcodes.php

@@ -81,6 +81,9 @@ class Shortcodes {
      * @return string
      */
     public function render_artist( array $atts ): string {
+        // Enter shortcode context to prevent recursive shortcode processing during data loading.
+        TemplateLoader::enter_shortcode_context();
+
         $atts = shortcode_atts(
             array(
                 'id'          => 0,
@@ -95,6 +98,7 @@ class Shortcodes {
 
         $post = $this->get_post( $atts, 'fedistream_artist' );
         if ( ! $post ) {
+            TemplateLoader::exit_shortcode_context();
             return '';
         }
 
@@ -119,6 +123,9 @@ class Shortcodes {
      * @return string
      */
     public function render_album( array $atts ): string {
+        // Enter shortcode context to prevent recursive shortcode processing during data loading.
+        TemplateLoader::enter_shortcode_context();
+
         $atts = shortcode_atts(
             array(
                 'id'          => 0,
@@ -132,6 +139,7 @@ class Shortcodes {
 
         $post = $this->get_post( $atts, 'fedistream_album' );
         if ( ! $post ) {
+            TemplateLoader::exit_shortcode_context();
             return '';
         }
 
@@ -155,6 +163,9 @@ class Shortcodes {
      * @return string
      */
     public function render_track( array $atts ): string {
+        // Enter shortcode context to prevent recursive shortcode processing during data loading.
+        TemplateLoader::enter_shortcode_context();
+
         $atts = shortcode_atts(
             array(
                 'id'          => 0,
@@ -168,6 +179,7 @@ class Shortcodes {
 
         $post = $this->get_post( $atts, 'fedistream_track' );
         if ( ! $post ) {
+            TemplateLoader::exit_shortcode_context();
             return '';
         }
 
@@ -191,6 +203,9 @@ class Shortcodes {
      * @return string
      */
     public function render_playlist( array $atts ): string {
+        // Enter shortcode context to prevent recursive shortcode processing during data loading.
+        TemplateLoader::enter_shortcode_context();
+
         $atts = shortcode_atts(
             array(
                 'id'          => 0,
@@ -204,6 +219,7 @@ class Shortcodes {
 
         $post = $this->get_post( $atts, 'fedistream_playlist' );
         if ( ! $post ) {
+            TemplateLoader::exit_shortcode_context();
             return '';
         }
 
@@ -227,6 +243,9 @@ class Shortcodes {
      * @return string
      */
     public function render_latest_releases( array $atts ): string {
+        // Enter shortcode context to prevent recursive shortcode processing during data loading.
+        TemplateLoader::enter_shortcode_context();
+
         $atts = shortcode_atts(
             array(
                 'count'   => 6,
@@ -292,6 +311,9 @@ class Shortcodes {
      * @return string
      */
     public function render_popular_tracks( array $atts ): string {
+        // Enter shortcode context to prevent recursive shortcode processing during data loading.
+        TemplateLoader::enter_shortcode_context();
+
         $atts = shortcode_atts(
             array(
                 'count'   => 10,
@@ -359,6 +381,9 @@ class Shortcodes {
      * @return string
      */
     public function render_artists_grid( array $atts ): string {
+        // Enter shortcode context to prevent recursive shortcode processing during data loading.
+        TemplateLoader::enter_shortcode_context();
+
         $atts = shortcode_atts(
             array(
                 'count'   => 12,
@@ -426,6 +451,9 @@ class Shortcodes {
      * @return string
      */
     public function render_player( array $atts ): string {
+        // Enter shortcode context to prevent recursive shortcode processing during data loading.
+        TemplateLoader::enter_shortcode_context();
+
         $atts = shortcode_atts(
             array(
                 'track'    => 0,
@@ -471,6 +499,7 @@ class Shortcodes {
         }
 
         if ( empty( $tracks ) ) {
+            TemplateLoader::exit_shortcode_context();
             return '';
         }
 
@@ -528,13 +557,20 @@ class Shortcodes {
             return $this->get_unlicensed_message();
         }
 
+        // Enter shortcode context to prevent recursive shortcode processing.
+        TemplateLoader::enter_shortcode_context();
+
         try {
-            return $this->plugin->render( $template, $context );
+            $result = $this->plugin->render( $template, $context );
         } catch ( \Exception $e ) {
+            TemplateLoader::exit_shortcode_context();
             if ( WP_DEBUG ) {
                 return '<p class="fedistream-error">' . esc_html( $e->getMessage() ) . '</p>';
             }
             return '';
         }
+
+        TemplateLoader::exit_shortcode_context();
+        return $result;
     }
 }

includes/Frontend/TemplateLoader.php

@@ -35,6 +35,46 @@ class TemplateLoader {
      */
     private const MAX_RECURSION_DEPTH = 3;
 
+    /**
+     * Shortcode rendering context depth counter.
+     * When > 0, the_content filter is skipped to prevent recursive shortcode processing.
+     * Using a counter instead of boolean to handle nested shortcodes properly.
+     *
+     * @var int
+     */
+    private static int $shortcode_context_depth = 0;
+
+    /**
+     * Enter shortcode rendering context.
+     * Call this before rendering shortcode content to prevent recursive shortcode processing.
+     *
+     * @return void
+     */
+    public static function enter_shortcode_context(): void {
+        ++self::$shortcode_context_depth;
+    }
+
+    /**
+     * Exit shortcode rendering context.
+     * Call this after shortcode rendering is complete.
+     *
+     * @return void
+     */
+    public static function exit_shortcode_context(): void {
+        if ( self::$shortcode_context_depth > 0 ) {
+            --self::$shortcode_context_depth;
+        }
+    }
+
+    /**
+     * Check if we're in a shortcode rendering context.
+     *
+     * @return bool
+     */
+    public static function is_in_shortcode_context(): bool {
+        return self::$shortcode_context_depth > 0;
+    }
+
     /**
      * Constructor.
      */
@@ -213,14 +253,37 @@ class TemplateLoader {
         // Track recursion to prevent infinite loops from shortcodes in content.
         ++self::$recursion_depth;
 
-        // At depth > 1, skip the_content filter to prevent shortcode recursion.
+        // Skip the_content filter if:
-        $is_nested = self::$recursion_depth > 1;
+        // 1. We're in a shortcode context (prevents recursive shortcode processing)
+        // 2. We're at depth > 1 (nested data loading)
+        $skip_content_filter = self::$shortcode_context_depth > 0 || self::$recursion_depth > 1;
+
+        // When skipping content filter, also use raw excerpt to avoid get_the_excerpt()
+        // triggering the_content filter internally when generating auto-excerpts.
+        if ( $skip_content_filter ) {
+            $excerpt = $post->post_excerpt;
+            if ( empty( $excerpt ) ) {
+                // Generate a simple excerpt without triggering the_content filter.
+                $excerpt = wp_trim_words( wp_strip_all_tags( $post->post_content ), 55, '…' );
+            }
+        } else {
+            $excerpt = get_the_excerpt( $post );
+        }
+
+        // When skipping content filter, also strip shortcodes to prevent them from
+        // being processed by anything else that might call do_shortcode on the output.
+        if ( $skip_content_filter ) {
+            $content = strip_shortcodes( $post->post_content );
+            $content = wp_kses_post( $content );
+        } else {
+            $content = apply_filters( 'the_content', $post->post_content );
+        }
 
         $data = array(
             'id'        => $post->ID,
             'title'     => get_the_title( $post ),
-            'content'   => $is_nested ? wp_kses_post( $post->post_content ) : apply_filters( 'the_content', $post->post_content ),
+            'content'   => $content,
-            'excerpt'   => get_the_excerpt( $post ),
+            'excerpt'   => $excerpt,
             'permalink' => get_permalink( $post ),
             'thumbnail' => get_the_post_thumbnail_url( $post->ID, 'large' ),
             'date'      => get_the_date( '', $post ),

includes/Frontend/template-wrapper.php

@@ -13,6 +13,9 @@ if ( ! defined( 'ABSPATH' ) ) {
 use WP_FediStream\Plugin;
 use WP_FediStream\Frontend\TemplateLoader;
 
+// Enter shortcode context to prevent recursive shortcode processing in post content.
+TemplateLoader::enter_shortcode_context();
+
 // Get template context.
 $context = TemplateLoader::get_context();
 
@@ -75,4 +78,7 @@ get_header();
 </main>
 
 <?php
+// Exit shortcode context.
+TemplateLoader::exit_shortcode_context();
+
 get_footer();

includes/Plugin.php

@@ -55,6 +55,20 @@ final class Plugin {
      */
     private ?\Twig\Environment $twig = null;
 
+    /**
+     * Current Twig render depth to prevent infinite recursion.
+     *
+     * @var int
+     */
+    private static int $render_depth = 0;
+
+    /**
+     * Maximum allowed Twig render depth.
+     *
+     * @var int
+     */
+    private const MAX_RENDER_DEPTH = 5;
+
     /**
      * Post type instances.
      *
@@ -843,7 +857,20 @@ final class Plugin {
      * @return string Rendered template.
      */
     public function render( string $template, array $context = array() ): string {
-        return $this->twig->render( $template . '.twig', $context );
+        // Prevent infinite recursion in Twig rendering.
+        if ( self::$render_depth >= self::MAX_RENDER_DEPTH ) {
+            return '<!-- FediStream: render depth exceeded -->';
+        }
+
+        ++self::$render_depth;
+
+        try {
+            $result = $this->twig->render( $template . '.twig', $context );
+        } finally {
+            --self::$render_depth;
+        }
+
+        return $result;
     }
 
     /**

wp-fedistream.php

@@ -3,7 +3,7 @@
  * Plugin Name: WP FediStream
  * Plugin URI: https://src.bundespruefstelle.ch/magdev/wp-fedistream
  * Description: Stream music over ActivityPub - Build your own music streaming platform for Musicians and Labels.
- * Version: 0.4.1
+ * Version: 0.4.5
  * Requires at least: 6.4
  * Requires PHP: 8.3
  * Author: Marco Graetsch
@@ -26,7 +26,7 @@ if ( ! defined( 'ABSPATH' ) ) {
  *
  * @var string
  */
-define( 'WP_FEDISTREAM_VERSION', '0.4.1' );
+define( 'WP_FEDISTREAM_VERSION', '0.4.5' );
 
 /**
  * Plugin file path.