Ticket #43857: 43857.6.diff

src/wp-admin/includes/misc.php

@@ -1144 +1144 @@
         $filtered_url = remove_query_arg( $removable_query_args, $current_url );
         ?>
         <link id="wp-admin-canonical" rel="canonical" href="<?php echo esc_url( $filtered_url ); ?>" />
-        <script>
-                if ( window.history.replaceState ) {
-                        window.history.replaceState( null, null, document.getElementById( 'wp-admin-canonical' ).href + window.location.hash );
-                }
-        </script>
         <?php
+        wp_remove_feedback_query_args( 'wp-admin-canonical' );
 }
 
 /**

src/wp-comments-post.php

@@ -57 +57 @@
 $location = empty( $_POST['redirect_to'] ) ? get_comment_link( $comment ) : $_POST['redirect_to'] . '#comment-' . $comment->comment_ID;
 
 /**
+ * Add specific query arguments to display the awaiting moderation message
+ * to users who did not consent to cookies.
+ */
+if ( ! $cookies_consent && 'unapproved' === wp_get_comment_status( $comment ) ) {
+        $location = add_query_arg( array(
+                'unapproved'      => $comment->comment_ID,
+                'moderation-hash' => wp_hash( $comment->comment_date_gmt ),
+        ), $location );
+}
+
+/**
  * Filters the location URI to send the commenter after posting.
  *
  * @since 2.0.5

src/wp-includes/comment-template.php

@@ -1693 +1693 @@
 
                 $link = sprintf(
                         "<a rel='nofollow' class='comment-reply-link' href='%s' %s aria-label='%s'>%s</a>",
-                        esc_url( add_query_arg( 'replytocom', $comment->comment_ID ) ) . '#' . $args['respond_id'],
+                        esc_url( add_query_arg( array(
+                                'replytocom'      => $comment->comment_ID,
+                                'unapproved'      => false,
+                                'moderation-hash' => false,
+                        ) ) ) . "#" . $args['respond_id'],                      
                         $data_attribute_string,
                         esc_attr( sprintf( $args['reply_to_text'], $comment->comment_author ) ),
                         $args['reply_text']
@@ -2256 +2260 @@
         $commenter     = wp_get_current_commenter();
         $user          = wp_get_current_user();
         $user_identity = $user->exists() ? $user->display_name : '';
+        $fields        = array();
+
+        if ( has_action( 'set_comment_cookies', 'wp_set_comment_cookies' ) ) {
+                $consent = '';
+                if ( isset( $commenter['cookies_consent'] ) && true === $commenter['cookies_consent'] ) {
+                        $consent = ' checked="checked"';
+
+                // User has not consent coookies, reset the $commenter to empty the comment form.
+                } else {
+                        $commenter = array_fill_keys( array_keys( $commenter ), '' );
+                }
+
+                // Set cookies consent comment field.
+                $fields['cookies'] = '<p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"' . $consent . ' />' .
+                                                         '<label for="wp-comment-cookies-consent">' . __( 'Save my name, email, and website in this browser for the next time I comment.' ) . '</label></p>';
+        }
 
         $args = wp_parse_args( $args );
         if ( ! isset( $args['format'] ) ) {
@@ -2265 +2285 @@
         $req      = get_option( 'require_name_email' );
         $html_req = ( $req ? " required='required'" : '' );
         $html5    = 'html5' === $args['format'];
-        $fields   = array(
+
+        // Set regular comment fields making sure the cookies consent is the last one.
+        $fields   = array_merge( array(
                 'author' => '<p class="comment-form-author">' . '<label for="author">' . __( 'Name' ) . ( $req ? ' <span class="required">*</span>' : '' ) . '</label> ' .
                                          '<input id="author" name="author" type="text" value="' . esc_attr( $commenter['comment_author'] ) . '" size="30" maxlength="245"' . $html_req . ' /></p>',
                 'email'  => '<p class="comment-form-email"><label for="email">' . __( 'Email' ) . ( $req ? ' <span class="required">*</span>' : '' ) . '</label> ' .
                                          '<input id="email" name="email" ' . ( $html5 ? 'type="email"' : 'type="text"' ) . ' value="' . esc_attr( $commenter['comment_author_email'] ) . '" size="30" maxlength="100" aria-describedby="email-notes"' . $html_req . ' /></p>',
                 'url'    => '<p class="comment-form-url"><label for="url">' . __( 'Website' ) . '</label> ' .
                                          '<input id="url" name="url" ' . ( $html5 ? 'type="url"' : 'type="text"' ) . ' value="' . esc_attr( $commenter['comment_author_url'] ) . '" size="30" maxlength="200" /></p>',
-        );
+        ), $fields );
 
-        if ( has_action( 'set_comment_cookies', 'wp_set_comment_cookies' ) && get_option( 'show_comments_cookies_opt_in' ) ) {
-                $consent           = empty( $commenter['comment_author_email'] ) ? '' : ' checked="checked"';
-                $fields['cookies'] = '<p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"' . $consent . ' />' .
-                                                         '<label for="wp-comment-cookies-consent">' . __( 'Save my name, email, and website in this browser for the next time I comment.' ) . '</label></p>';
-
-                // Ensure that the passed fields include cookies consent.
-                if ( isset( $args['fields'] ) && ! isset( $args['fields']['cookies'] ) ) {
-                        $args['fields']['cookies'] = $fields['cookies'];
-                }
+        // Ensure that the passed fields include cookies consent.
+        if ( isset( $args['fields'] ) && ! isset( $args['fields']['cookies'] ) ) {
+                $args['fields']['cookies'] = $fields['cookies'];
         }
 
         $required_text = sprintf( ' ' . __( 'Required fields are marked %s' ), '<span class="required">*</span>' );

src/wp-includes/comment.php

@@ -1743 +1743 @@
  * @see sanitize_comment_cookies() Use to sanitize cookies
  *
  * @since 2.0.4
+ * @since 4.9.9 Tries to get a query parameter containing the comment ID to
+ *              set the comment author data when the user has not consented
+ *              to cookies.
  *
- * @return array Comment author, email, url respectively.
+ * @return array Comment author, email, url, cookies consent respectively.
  */
 function wp_get_current_commenter() {
         // Cookies should already be sanitized.
@@ -1764 +1767 @@
                 $comment_author_url = $_COOKIE[ 'comment_author_url_' . COOKIEHASH ];
         }
 
+        $comment_author_data = compact( 'comment_author', 'comment_author_email', 'comment_author_url' );
+
+        if ( ! array_filter( $comment_author_data ) ) {
+                // Set the current commenter using the just posted comment ID.
+                if ( is_singular() && isset( $_GET['unapproved'] ) ) {
+                        $comment = get_comment( $_GET['unapproved'], ARRAY_A );
+
+                        if ( isset( $_GET['moderation-hash'] ) && isset( $comment['comment_date_gmt'] ) && wp_hash( $comment['comment_date_gmt'] ) === $_GET['moderation-hash'] ) {
+                                $comment_author_data = array_intersect_key( $comment, $comment_author_data );
+                        }
+                }
+
+                $comment_author_data['cookies_consent'] = false;
+        } else {
+                $comment_author_data['cookies_consent'] = true;
+        }
+
         /**
          * Filters the current commenter's name, email, and URL.
          *
          * @since 3.1.0
+         * @since 4.9.9 Adds the $cookies_consent argument to the
+         *              array of current commenter variables.
          *
          * @param array $comment_author_data {
          *     An array of current commenter variables.
          *
-         *     @type string $comment_author       The name of the author of the comment. Default empty.
-         *     @type string $comment_author_email The email address of the `$comment_author`. Default empty.
-         *     @type string $comment_author_url   The URL address of the `$comment_author`. Default empty.
+         *     @type string  $comment_author       The name of the author of the comment. Default empty.
+         *     @type string  $comment_author_email The email address of the `$comment_author`. Default empty.
+         *     @type string  $comment_author_url   The URL address of the `$comment_author`. Default empty.
+         *     @type boolean $cookies_consent      Whether the user consented to cookies or not. Default false.
          * }
          */
-        return apply_filters( 'wp_get_current_commenter', compact( 'comment_author', 'comment_author_email', 'comment_author_url' ) );
+        return apply_filters( 'wp_get_current_commenter', $comment_author_data );
 }
 
 /**

src/wp-includes/functions.php

@@ -972 +972 @@
 }
 
 /**
+ * Removes query variables used to provide user feedbacks from the current URL.
+ *
+ * @since 4.9.9
+ *
+ * @param string $canonical_id The canonical URL link tag's id attribute.
+ */
+function wp_remove_feedback_query_args( $canonical_id = 'wp-canonical' ) {
+        $query_args = array();
+
+        if ( ! is_admin() ) {
+                $query_args = wp_parse_url( $_SERVER['REQUEST_URI'], PHP_URL_QUERY );
+
+                if ( ! $query_args ) {
+                        return;
+                } else {
+                        $query_args = wp_parse_args( $query_args, array() );
+
+                        if ( ! isset( $query_args['unapproved'] ) ) {
+                                return;
+                        }
+
+                        // Remove the reserved query var key without altering the others.
+                        $query_args = array_diff_key( $query_args, array_flip( array(
+                                'unapproved',
+                                'moderation-hash',
+                        ) ) );
+                }
+        }
+        printf( '
+<script>
+        var canonicalUrl = document.getElementById( \'%1$s\' ).href.split( \'#\' )[0],
+                qv = %2$s;
+
+        if ( \'object\' === typeof qv && undefined === qv.length ) {
+                canonicalUrl += \'?\' + Object.keys( qv ).map( k => k + \'=\' + qv[k] ).join( \'&\' );
+        }
+
+        if ( window.history.replaceState ) {
+                window.history.replaceState( null, null, canonicalUrl + window.location.hash );
+        }
+</script>
+        ', $canonical_id, json_encode( $query_args ) );
+}
+
+/**
  * Walks the array while sanitizing the contents.
  *
  * @since 0.71

src/wp-includes/link-template.php

@@ -3740 +3740 @@
         $url = wp_get_canonical_url( $id );
 
         if ( ! empty( $url ) ) {
-                echo '<link rel="canonical" href="' . esc_url( $url ) . '" />' . "\n";
+                echo '<link id="wp-canonical" rel="canonical" href="' . esc_url( $url ) . '" />' . "\n";
+                wp_remove_feedback_query_args();
         }
 }