Ticket #37208: 37208.diff

wp-includes/comment.php

@@ -1055 +1055 @@
         $mod_keys = trim( get_option('blacklist_keys') );
         if ( '' == $mod_keys )
                 return false; // If moderation keys are empty
+
+        // Ensure that users can't use HTML tags to break up their words to bypass the blacklist.
+        $comment_without_html = wp_kses( $comment, array() );
+
         $words = explode("\n", $mod_keys );
 
         foreach ( (array) $words as $word ) {
@@ -1072 +1076 @@
                            preg_match($pattern, $author)
                         || preg_match($pattern, $email)
                         || preg_match($pattern, $url)
-                        || preg_match($pattern, $comment)
+                        || preg_match($pattern, $comment_without_html)
                         || preg_match($pattern, $user_ip)
                         || preg_match($pattern, $user_agent)
                  )