Commenters can break page validation via HTML comments

[schiller]

As per  http://www.w3.org/TR/REC-xml/#sec-comments, XML does not like two dashes (--) in comments, nor does it like comments ending in --->. This should be fixed in kses

Patch for kses, prevents adjacent hyphens in a HTML/XML comment

wptexturize() converts a double dash into –, so no problems there.

Can you clarify this? When is wptexturize() called? Is this something that has changed since WP 2.3.3?

No, wptexturize() has been around since at least version 1.5. All comments and posts are run through it by default before being displayed.

Log out and make a comment like this on your blog:

This is a -- test comment over here --->

It will display at this valid XHTML:

This is a — test comment over here —>

Closing as worksforme.

Oh, and to answer your "When is wptexturize() called?" question, look at /wp-includes/default-filters.php. You'll find this line in it:

add_filter('comment_text', 'wptexturize');

Actually I had already confirmed this was indeed a problem - someone was logged out and made the following comment on my WP 2.3.3 blog:

Comment: <!-- foo -- bar -->

And it resulted in a Yellow Page of Death when rendered as XHTML. That's why I dug through and came up with this 2-line patch for kses.

Note that the comment stays hidden i.e. it actually stays a HTML comment it doesn't get escaped to be

Comment: &lt;!-- foo -- bar --&gt;

I do not have the "WordPress should correct invalidly nested XHTML automatically" checkbox checked (Options > Writing). Can you describe the settings on your blog that relate to translating markup?

Okay, well that's an entirely different issue. ;)

Confirmed that no-access users can post HTML comments, something that they shouldn't be able to do IMO. It's specifically allowed in the code though, so then I guess we should just make sure it doesn't break validation.

Ok, thanks - I should have clarified between the two different types of comments ;)

I did attach a patch for this bug - does it need to get reviewed or something? (Just curious about your addition of the 'needs-patch' keyword)

Replying to schiller:

I did attach a patch for this bug - does it need to get reviewed or something? (Just curious about your addition of the 'needs-patch' keyword)

Sorry, force of habit and I thought your patch merely removed all double dashes. It was in the wee hours of the morning and I didn't realize your patch was specifically targeted at HTML comments. My apologies.

Switched to the "has-patch" tag. :)

(In [8382]) Prevent adjacent hyphens in a HTML/XML comment. Fixes #6642 for trunk. Props schiller.

Re-open for 2.6.1

(In [8383]) Prevent adjacent hyphens in a HTML/XML comment. Fixes #6642 for 2.6.1. Props schiller.

This appears broken again in WP 2.9.1 (though I did verify my fix appears in kses.php still). No idea why it's happening.

Since this ticket was marked as fixed for a shipped milestone, please open a new ticket and reference this one.