Make WordPress Core

Ticket #23416: 23416.diff

File 23416.diff, 1.2 KB (added by Kloon, 10 years ago)

validate comment $_POST vars

  • wp-comments-post.php

     
    8989        do_action( 'pre_comment_on_post', $comment_post_ID );
    9090}
    9191
    92 $comment_author       = ( isset($_POST['author']) )  ? trim(strip_tags($_POST['author'])) : null;
    93 $comment_author_email = ( isset($_POST['email']) )   ? trim($_POST['email']) : null;
    94 $comment_author_url   = ( isset($_POST['url']) )     ? trim($_POST['url']) : null;
    95 $comment_content      = ( isset($_POST['comment']) ) ? trim($_POST['comment']) : null;
     92$comment_author       = ( isset( $_POST['author'] ) && is_string( $_POST['author'] ) )  ? trim( strip_tags( $_POST['author'] ) ) : null;
     93$comment_author_email = ( isset( $_POST['email'] ) && is_email( $_POST['email'] ) )   ? trim( $_POST['email'] ) : null;
     94$comment_author_url   = ( isset( $_POST['url'] ) && is_string( $_POST['url'] ) ) ? trim( $_POST['url'] ) : null;
     95$comment_content      = ( isset( $_POST['comment'] ) && is_string( $_POST['comment'] ) ) ? trim( $_POST['comment'] ) : null;
    9696
    9797// If the user is logged in
    9898$user = wp_get_current_user();