Ticket #3973: unfiltered_html_xsrf_xss.diff

File unfiltered_html_xsrf_xss.diff, 8.7 KB (added by markjaquith, 5 years ago)

Patch for all three WP branches

  • trunk/wp-comments-post.php

     
    2525 
    2626// If the user is logged in 
    2727$user = wp_get_current_user(); 
    28 if ( $user->ID ) : 
     28if ( $user->ID ) { 
    2929        $comment_author       = $wpdb->escape($user->display_name); 
    3030        $comment_author_email = $wpdb->escape($user->user_email); 
    3131        $comment_author_url   = $wpdb->escape($user->user_url); 
    32 else : 
     32        if ( current_user_can('unfiltered_html') ) { 
     33                if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) { 
     34                        kses_remove_filters(); // start with a clean slate 
     35                        kses_init_filters(); // set up the filters 
     36                } 
     37        } 
     38} else { 
    3339        if ( get_option('comment_registration') ) 
    3440                wp_die( __('Sorry, you must be logged in to post a comment.') ); 
    35 endif; 
     41} 
    3642 
    3743$comment_type = ''; 
    3844 

  • trunk/wp-includes/default-filters.php

     
    3131add_filter('pre_comment_author_email', 'wp_filter_kses'); 
    3232add_filter('pre_comment_author_url', 'wp_filter_kses'); 
    3333 
     34add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce'); 
     35 
    3436// Default filters for these functions 
    3537add_filter('comment_author', 'wptexturize'); 
    3638add_filter('comment_author', 'convert_chars'); 

  • trunk/wp-includes/functions.php

     
    10001000        return wp_specialchars(add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl)); 
    10011001} 
    10021002 
    1003 function wp_nonce_field($action = -1) { 
    1004         echo '<input type="hidden" name="_wpnonce" value="' . wp_create_nonce($action) . '" />'; 
    1005         wp_referer_field(); 
     1003function wp_nonce_field($action = -1, $name = "_wpnonce", $referer = true) { 
     1004        $name = attribute_escape($name); 
     1005        echo '<input type="hidden" name="' . $name . '" value="' . wp_create_nonce($action) . '" />'; 
     1006        if ( $referer ) 
     1007                wp_referer_field(); 
    10061008} 
    10071009 
    10081010function wp_referer_field() { 

  • trunk/wp-includes/comment-template.php

     
    271271                return false; 
    272272} 
    273273 
     274function wp_comment_form_unfiltered_html_nonce() { 
     275        global $post; 
     276        if ( current_user_can('unfiltered_html') ) 
     277                wp_nonce_field('unfiltered-html-comment_' . $post->ID, '_wp_unfiltered_html_comment', false); 
     278} 
     279 
    274280function comments_template( $file = '/comments.php' ) { 
    275281        global $wp_query, $withcomments, $post, $wpdb, $id, $comment, $user_login, $user_ID, $user_identity; 
    276282 

  • branches/2.0/wp-comments-post.php

     
    2525 
    2626// If the user is logged in 
    2727$user = wp_get_current_user(); 
    28 if ( $user->ID ) : 
     28if ( $user->ID ) { 
    2929        $comment_author       = $wpdb->escape($user->display_name); 
    3030        $comment_author_email = $wpdb->escape($user->user_email); 
    3131        $comment_author_url   = $wpdb->escape($user->user_url); 
    32 else : 
     32        if ( current_user_can('unfiltered_html') ) { 
     33                if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) { 
     34                        kses_remove_filters(); // start with a clean slate 
     35                        kses_init_filters(); // set up the filters 
     36                } 
     37        } 
     38} else { 
    3339        if ( get_option('comment_registration') ) 
    3440                die( __('Sorry, you must be logged in to post a comment.') ); 
    35 endif; 
     41} 
    3642 
    3743$comment_type = ''; 
    3844 

  • branches/2.0/wp-includes/default-filters.php

     
    3333add_filter('pre_comment_author_email', 'wp_filter_kses'); 
    3434add_filter('pre_comment_author_url', 'wp_filter_kses'); 
    3535 
     36add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce'); 
     37 
    3638// Default filters for these functions 
    3739add_filter('comment_author', 'wptexturize'); 
    3840add_filter('comment_author', 'convert_chars'); 

  • branches/2.0/wp-includes/functions.php

     
    23722372        return wp_specialchars(add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl)); 
    23732373} 
    23742374 
    2375 function wp_nonce_field($action = -1) { 
    2376         echo '<input type="hidden" name="_wpnonce" value="' . wp_create_nonce($action) . '" />'; 
    2377         wp_referer_field(); 
     2375function wp_nonce_field($action = -1, $name = "_wpnonce", $referer = true) { 
     2376        $name = attribute_escape($name); 
     2377        echo '<input type="hidden" name="' . $name . '" value="' . wp_create_nonce($action) . '" />'; 
     2378        if ( $referer ) 
     2379                wp_referer_field(); 
    23782380} 
    23792381 
    23802382function wp_referer_field() { 

  • branches/2.0/wp-includes/comment-functions.php

     
    22 
    33// Template functions 
    44 
     5function wp_comment_form_unfiltered_html_nonce() { 
     6        global $post; 
     7        if ( current_user_can('unfiltered_html') ) 
     8                wp_nonce_field('unfiltered-html-comment_' . $post->ID, '_wp_unfiltered_html_comment', false); 
     9} 
     10 
    511function comments_template( $file = '/comments.php' ) { 
    612        global $wp_query, $withcomments, $post, $wpdb, $id, $comment, $user_login, $user_ID, $user_identity; 
    713 

  • branches/2.1/wp-comments-post.php

     
    2525 
    2626// If the user is logged in 
    2727$user = wp_get_current_user(); 
    28 if ( $user->ID ) : 
     28if ( $user->ID ) { 
    2929        $comment_author       = $wpdb->escape($user->display_name); 
    3030        $comment_author_email = $wpdb->escape($user->user_email); 
    3131        $comment_author_url   = $wpdb->escape($user->user_url); 
    32 else : 
     32        if ( current_user_can('unfiltered_html') ) { 
     33                if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) { 
     34                        kses_remove_filters(); // start with a clean slate 
     35                        kses_init_filters(); // set up the filters 
     36                } 
     37        } 
     38} else { 
    3339        if ( get_option('comment_registration') ) 
    3440                wp_die( __('Sorry, you must be logged in to post a comment.') ); 
    35 endif; 
     41} 
    3642 
    3743$comment_type = ''; 
    3844 

  • branches/2.1/wp-includes/default-filters.php

     
    3131add_filter('pre_comment_author_email', 'wp_filter_kses'); 
    3232add_filter('pre_comment_author_url', 'wp_filter_kses'); 
    3333 
     34add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce'); 
     35 
    3436// Default filters for these functions 
    3537add_filter('comment_author', 'wptexturize'); 
    3638add_filter('comment_author', 'convert_chars'); 

  • branches/2.1/wp-includes/functions.php

     
    920920        return wp_specialchars(add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl)); 
    921921} 
    922922 
    923 function wp_nonce_field($action = -1) { 
    924         echo '<input type="hidden" name="_wpnonce" value="' . wp_create_nonce($action) . '" />'; 
    925         wp_referer_field(); 
     923function wp_nonce_field($action = -1, $name = "_wpnonce", $referer = true) { 
     924        $name = attribute_escape($name); 
     925        echo '<input type="hidden" name="' . $name . '" value="' . wp_create_nonce($action) . '" />'; 
     926        if ( $referer ) 
     927                wp_referer_field(); 
    926928} 
    927929 
    928930function wp_referer_field() { 

  • branches/2.1/wp-includes/comment-template.php

     
    271271                return false; 
    272272} 
    273273 
     274function wp_comment_form_unfiltered_html_nonce() { 
     275        global $post; 
     276        if ( current_user_can('unfiltered_html') ) 
     277                wp_nonce_field('unfiltered-html-comment_' . $post->ID, '_wp_unfiltered_html_comment', false); 
     278} 
     279 
    274280function comments_template( $file = '/comments.php' ) { 
    275281        global $wp_query, $withcomments, $post, $wpdb, $id, $comment, $user_login, $user_ID, $user_identity; 
    276282