WordPress.org

Make WordPress Core

Ticket #3973: unfiltered_html_xsrf_xss.diff

File unfiltered_html_xsrf_xss.diff, 8.7 KB (added by markjaquith, 11 years ago)

Patch for all three WP branches

  • trunk/wp-comments-post.php

     
    2525
    2626// If the user is logged in
    2727$user = wp_get_current_user();
    28 if ( $user->ID ) :
     28if ( $user->ID ) {
    2929        $comment_author       = $wpdb->escape($user->display_name);
    3030        $comment_author_email = $wpdb->escape($user->user_email);
    3131        $comment_author_url   = $wpdb->escape($user->user_url);
    32 else :
     32        if ( current_user_can('unfiltered_html') ) {
     33                if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) {
     34                        kses_remove_filters(); // start with a clean slate
     35                        kses_init_filters(); // set up the filters
     36                }
     37        }
     38} else {
    3339        if ( get_option('comment_registration') )
    3440                wp_die( __('Sorry, you must be logged in to post a comment.') );
    35 endif;
     41}
    3642
    3743$comment_type = '';
    3844
  • trunk/wp-includes/default-filters.php

     
    3131add_filter('pre_comment_author_email', 'wp_filter_kses');
    3232add_filter('pre_comment_author_url', 'wp_filter_kses');
    3333
     34add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce');
     35
    3436// Default filters for these functions
    3537add_filter('comment_author', 'wptexturize');
    3638add_filter('comment_author', 'convert_chars');
  • trunk/wp-includes/functions.php

     
    10001000        return wp_specialchars(add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl));
    10011001}
    10021002
    1003 function wp_nonce_field($action = -1) {
    1004         echo '<input type="hidden" name="_wpnonce" value="' . wp_create_nonce($action) . '" />';
    1005         wp_referer_field();
     1003function wp_nonce_field($action = -1, $name = "_wpnonce", $referer = true) {
     1004        $name = attribute_escape($name);
     1005        echo '<input type="hidden" name="' . $name . '" value="' . wp_create_nonce($action) . '" />';
     1006        if ( $referer )
     1007                wp_referer_field();
    10061008}
    10071009
    10081010function wp_referer_field() {
  • trunk/wp-includes/comment-template.php

     
    271271                return false;
    272272}
    273273
     274function wp_comment_form_unfiltered_html_nonce() {
     275        global $post;
     276        if ( current_user_can('unfiltered_html') )
     277                wp_nonce_field('unfiltered-html-comment_' . $post->ID, '_wp_unfiltered_html_comment', false);
     278}
     279
    274280function comments_template( $file = '/comments.php' ) {
    275281        global $wp_query, $withcomments, $post, $wpdb, $id, $comment, $user_login, $user_ID, $user_identity;
    276282
  • branches/2.0/wp-comments-post.php

     
    2525
    2626// If the user is logged in
    2727$user = wp_get_current_user();
    28 if ( $user->ID ) :
     28if ( $user->ID ) {
    2929        $comment_author       = $wpdb->escape($user->display_name);
    3030        $comment_author_email = $wpdb->escape($user->user_email);
    3131        $comment_author_url   = $wpdb->escape($user->user_url);
    32 else :
     32        if ( current_user_can('unfiltered_html') ) {
     33                if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) {
     34                        kses_remove_filters(); // start with a clean slate
     35                        kses_init_filters(); // set up the filters
     36                }
     37        }
     38} else {
    3339        if ( get_option('comment_registration') )
    3440                die( __('Sorry, you must be logged in to post a comment.') );
    35 endif;
     41}
    3642
    3743$comment_type = '';
    3844
  • branches/2.0/wp-includes/default-filters.php

     
    3333add_filter('pre_comment_author_email', 'wp_filter_kses');
    3434add_filter('pre_comment_author_url', 'wp_filter_kses');
    3535
     36add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce');
     37
    3638// Default filters for these functions
    3739add_filter('comment_author', 'wptexturize');
    3840add_filter('comment_author', 'convert_chars');
  • branches/2.0/wp-includes/functions.php

     
    23722372        return wp_specialchars(add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl));
    23732373}
    23742374
    2375 function wp_nonce_field($action = -1) {
    2376         echo '<input type="hidden" name="_wpnonce" value="' . wp_create_nonce($action) . '" />';
    2377         wp_referer_field();
     2375function wp_nonce_field($action = -1, $name = "_wpnonce", $referer = true) {
     2376        $name = attribute_escape($name);
     2377        echo '<input type="hidden" name="' . $name . '" value="' . wp_create_nonce($action) . '" />';
     2378        if ( $referer )
     2379                wp_referer_field();
    23782380}
    23792381
    23802382function wp_referer_field() {
  • branches/2.0/wp-includes/comment-functions.php

     
    22
    33// Template functions
    44
     5function wp_comment_form_unfiltered_html_nonce() {
     6        global $post;
     7        if ( current_user_can('unfiltered_html') )
     8                wp_nonce_field('unfiltered-html-comment_' . $post->ID, '_wp_unfiltered_html_comment', false);
     9}
     10
    511function comments_template( $file = '/comments.php' ) {
    612        global $wp_query, $withcomments, $post, $wpdb, $id, $comment, $user_login, $user_ID, $user_identity;
    713
  • branches/2.1/wp-comments-post.php

     
    2525
    2626// If the user is logged in
    2727$user = wp_get_current_user();
    28 if ( $user->ID ) :
     28if ( $user->ID ) {
    2929        $comment_author       = $wpdb->escape($user->display_name);
    3030        $comment_author_email = $wpdb->escape($user->user_email);
    3131        $comment_author_url   = $wpdb->escape($user->user_url);
    32 else :
     32        if ( current_user_can('unfiltered_html') ) {
     33                if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) {
     34                        kses_remove_filters(); // start with a clean slate
     35                        kses_init_filters(); // set up the filters
     36                }
     37        }
     38} else {
    3339        if ( get_option('comment_registration') )
    3440                wp_die( __('Sorry, you must be logged in to post a comment.') );
    35 endif;
     41}
    3642
    3743$comment_type = '';
    3844
  • branches/2.1/wp-includes/default-filters.php

     
    3131add_filter('pre_comment_author_email', 'wp_filter_kses');
    3232add_filter('pre_comment_author_url', 'wp_filter_kses');
    3333
     34add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce');
     35
    3436// Default filters for these functions
    3537add_filter('comment_author', 'wptexturize');
    3638add_filter('comment_author', 'convert_chars');
  • branches/2.1/wp-includes/functions.php

     
    920920        return wp_specialchars(add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl));
    921921}
    922922
    923 function wp_nonce_field($action = -1) {
    924         echo '<input type="hidden" name="_wpnonce" value="' . wp_create_nonce($action) . '" />';
    925         wp_referer_field();
     923function wp_nonce_field($action = -1, $name = "_wpnonce", $referer = true) {
     924        $name = attribute_escape($name);
     925        echo '<input type="hidden" name="' . $name . '" value="' . wp_create_nonce($action) . '" />';
     926        if ( $referer )
     927                wp_referer_field();
    926928}
    927929
    928930function wp_referer_field() {
  • branches/2.1/wp-includes/comment-template.php

     
    271271                return false;
    272272}
    273273
     274function wp_comment_form_unfiltered_html_nonce() {
     275        global $post;
     276        if ( current_user_can('unfiltered_html') )
     277                wp_nonce_field('unfiltered-html-comment_' . $post->ID, '_wp_unfiltered_html_comment', false);
     278}
     279
    274280function comments_template( $file = '/comments.php' ) {
    275281        global $wp_query, $withcomments, $post, $wpdb, $id, $comment, $user_login, $user_ID, $user_identity;
    276282