Make WordPress Core

Ticket #43857: 43857.3.patch

File 43857.3.patch, 7.5 KB (added by imath, 6 years ago)

Refresh the patch & make sure potential query vars added by plugins are not altered

  • src/wp-admin/includes/misc.php

    diff --git src/wp-admin/includes/misc.php src/wp-admin/includes/misc.php
    index a8600f1d24..a7b5fbfa1d 100644
    function wp_admin_canonical_url() { 
    11321132        $filtered_url = remove_query_arg( $removable_query_args, $current_url );
    11331133        ?>
    11341134        <link id="wp-admin-canonical" rel="canonical" href="<?php echo esc_url( $filtered_url ); ?>" />
    1135         <script>
    1136                 if ( window.history.replaceState ) {
    1137                         window.history.replaceState( null, null, document.getElementById( 'wp-admin-canonical' ).href + window.location.hash );
    1138                 }
    1139         </script>
    1140 <?php
     1135        <?php
     1136        wp_remove_feedback_query_args( 'wp-admin-canonical' );
    11411137}
    11421138
    11431139/**
  • src/wp-comments-post.php

    diff --git src/wp-comments-post.php src/wp-comments-post.php
    index c61e73dcd1..b4a7990de5 100644
    do_action( 'set_comment_cookies', $comment, $user, $cookies_consent ); 
    5454
    5555$location = empty( $_POST['redirect_to'] ) ? get_comment_link( $comment ) : $_POST['redirect_to'] . '#comment-' . $comment->comment_ID;
    5656
     57if ( ! $cookies_consent && 'unapproved' === wp_get_comment_status( $comment ) ) {
     58        $location = add_query_arg( 'unapproved', $comment->comment_ID, $location );
     59}
     60
    5761/**
    5862 * Filters the location URI to send the commenter after posting.
    5963 *
  • src/wp-includes/comment-template.php

    diff --git src/wp-includes/comment-template.php src/wp-includes/comment-template.php
    index 5c3f0b7844..6c9873dd57 100644
    function get_comment_reply_link( $args = array(), $comment = null, $post = null 
    16921692
    16931693                $link = sprintf(
    16941694                        "<a rel='nofollow' class='comment-reply-link' href='%s' %s aria-label='%s'>%s</a>",
    1695                         esc_url( add_query_arg( 'replytocom', $comment->comment_ID ) ) . "#" . $args['respond_id'],
     1695                        esc_url( add_query_arg( array( 'replytocom' => $comment->comment_ID, 'unapproved' => false ) ) ) . "#" . $args['respond_id'],
    16961696                        $data_attribute_string,
    16971697                        esc_attr( sprintf( $args['reply_to_text'], $comment->comment_author ) ),
    16981698                        $args['reply_text']
    function comment_form( $args = array(), $post_id = null ) { 
    22602260        $req      = get_option( 'require_name_email' );
    22612261        $html_req = ( $req ? " required='required'" : '' );
    22622262        $html5    = 'html5' === $args['format'];
    2263         $consent  = empty( $commenter['comment_author_email'] ) ? '' : ' checked="checked"';
     2263        $consent  = ' checked="checked"';
     2264        if ( empty( $commenter['cookies_consent'] ) ) {
     2265                $consent = '';
     2266                $commenter = array_fill_keys( array_keys( $commenter ), '' );
     2267        }
     2268
    22642269        $fields   = array(
    22652270                'author'  => '<p class="comment-form-author">' . '<label for="author">' . __( 'Name' ) . ( $req ? ' <span class="required">*</span>' : '' ) . '</label> ' .
    22662271                                         '<input id="author" name="author" type="text" value="' . esc_attr( $commenter['comment_author'] ) . '" size="30" maxlength="245"' . $html_req . ' /></p>',
  • src/wp-includes/comment.php

    diff --git src/wp-includes/comment.php src/wp-includes/comment.php
    index 4c78eb9b6a..bf3eda17d9 100644
    function _clear_modified_cache_on_transition_comment_status( $new_status, $old_s 
    17421742 * @see sanitize_comment_cookies() Use to sanitize cookies
    17431743 *
    17441744 * @since 2.0.4
     1745 * @since 4.9.6 Tries to get a query parameter containing the comment ID to
     1746 *              set the comment author data when the user has not consented
     1747 *              to cookies.
    17451748 *
    1746  * @return array Comment author, email, url respectively.
     1749 * @return array Comment author, email, url, cookies consent respectively.
    17471750 */
    17481751function wp_get_current_commenter() {
    17491752        // Cookies should already be sanitized.
    function wp_get_current_commenter() { 
    17631766                $comment_author_url = $_COOKIE[ 'comment_author_url_' . COOKIEHASH ];
    17641767        }
    17651768
     1769        $comment_author_data = compact( 'comment_author', 'comment_author_email', 'comment_author_url' );
     1770
     1771        if ( ! array_filter( $comment_author_data ) ) {
     1772                // Set the current commenter using the just posted comment ID.
     1773                if ( is_singular() && isset( $_GET['unapproved'] ) ) {
     1774                        $comment = get_comment( $_GET['unapproved'], ARRAY_A );
     1775
     1776                        if ( isset( $comment['comment_author_email'] ) ) {
     1777                                $comment_author_data = array_intersect_key( $comment, $comment_author_data );
     1778                        }
     1779                }
     1780
     1781                $comment_author_data['cookies_consent'] = false;
     1782        } else {
     1783                $comment_author_data['cookies_consent'] = true;
     1784        }
     1785
    17661786        /**
    17671787         * Filters the current commenter's name, email, and URL.
    17681788         *
    17691789         * @since 3.1.0
     1790         * @since 4.9.6 Adds the $cookies_consent parameter.
    17701791         *
    17711792         * @param array $comment_author_data {
    17721793         *     An array of current commenter variables.
    17731794         *
    1774          *     @type string $comment_author       The name of the author of the comment. Default empty.
    1775          *     @type string $comment_author_email The email address of the `$comment_author`. Default empty.
    1776          *     @type string $comment_author_url   The URL address of the `$comment_author`. Default empty.
     1795         *     @type string  $comment_author       The name of the author of the comment. Default empty.
     1796         *     @type string  $comment_author_email The email address of the `$comment_author`. Default empty.
     1797         *     @type string  $comment_author_url   The URL address of the `$comment_author`. Default empty.
     1798         *     @type boolean $cookies_consent      Whether the user consented to cookies or not. Default false.
    17771799         * }
    17781800         */
    1779         return apply_filters( 'wp_get_current_commenter', compact( 'comment_author', 'comment_author_email', 'comment_author_url' ) );
     1801        return apply_filters( 'wp_get_current_commenter', $comment_author_data );
    17801802}
    17811803
    17821804/**
  • src/wp-includes/functions.php

    diff --git src/wp-includes/functions.php src/wp-includes/functions.php
    index 763b98df28..612fa9d232 100644
    function wp_removable_query_args() { 
    931931        return apply_filters( 'removable_query_args', $removable_query_args );
    932932}
    933933
     934/**
     935 * Removes query variables used to provide user feedbacks from the current URL.
     936 *
     937 * @since 4.9.6
     938 *
     939 * @param string $canonical_id The canonical URL link tag's id attribute.
     940 */
     941function wp_remove_feedback_query_args( $canonical_id = 'wp-canonical' ) {
     942        $query_args = array();
     943
     944        if ( ! is_admin() ) {
     945                $query_args = wp_parse_url( $_SERVER['REQUEST_URI'], PHP_URL_QUERY );
     946
     947                if ( ! $query_args ) {
     948                        return;
     949                } else {
     950                        $query_args = wp_parse_args( $query_args, array() );
     951
     952                        if ( ! isset( $query_args['unapproved'] ) ) {
     953                                return;
     954                        }
     955
     956                        // Remove the reserved query var key without altering the others.
     957                        unset( $query_args['unapproved'] );
     958                }
     959        }
     960        printf( '
     961<script>
     962        var canonicalUrl = document.getElementById( \'%1$s\' ).href.split( \'#\' )[0],
     963            qv = %2$s;
     964
     965        if ( \'object\' === typeof qv && qv.length ) {
     966                canonicalUrl += \'?\' + Object.keys( qv ).map( k => k + \'=\' + qv[k] ).join( \'&\' );
     967        }
     968
     969        if ( window.history.replaceState ) {
     970                window.history.replaceState( null, null, canonicalUrl + window.location.hash );
     971        }
     972</script>
     973        ', $canonical_id, json_encode( $query_args ) );
     974}
     975
    934976/**
    935977 * Walks the array while sanitizing the contents.
    936978 *
  • src/wp-includes/link-template.php

    diff --git src/wp-includes/link-template.php src/wp-includes/link-template.php
    index 815c539a4a..5c6489a328 100644
    function rel_canonical() { 
    37303730        $url = wp_get_canonical_url( $id );
    37313731
    37323732        if ( ! empty( $url ) ) {
    3733                 echo '<link rel="canonical" href="' . esc_url( $url ) . '" />' . "\n";
     3733                echo '<link id="wp-canonical" rel="canonical" href="' . esc_url( $url ) . '" />' . "\n";
     3734                wp_remove_feedback_query_args();
    37343735        }
    37353736}
    37363737