WordPress.org

Make WordPress Core

Ticket #5998: bug5998.patch

File bug5998.patch, 2.1 KB (added by schiller, 12 years ago)

Patch. Assumes UTF-8. Only handles comment submission (not trackbacks, search queries, etc)

  • wp-comments-post.php

     
    2929$comment_author_url   = trim($_POST['url']);
    3030$comment_content      = trim($_POST['comment']);
    3131
     32  // Bug 5998 Add:  Prevent invalid Unicode characters
     33  // regex that matches all valid Unicode UTF-8 bytes
     34  $re = "/" .
     35        "[\x09\x0A\x0D\x20-\x7E]" .                             // ASCII
     36        "|[\xC2-\xDF][\x80-\xBF]" .                             // non-overlong 2-byte
     37        "|\xE0[\xA0-\xBF][\x80-\xBF]" .                         // excluding overlongs
     38        "|[\xE1-\xEC\xEE][\x80-\xBF]{2}" .                      // 3-byte, but exclude U-FFFE and U-FFFF
     39        "|\xEF[\x80-\xBE][\x80-\xBF]" .
     40        "|\xEF\xBF[\x80-\xBD]" .
     41        "|\xED[\x80-\x9F][\x80-\xBF]" .                 // excluding surrogates
     42        "|\xF0[\x90-\xBF][\x80-\xBF]{2}" .                      // planes 1-3
     43        "|[\xF1-\xF3][\x80-\xBF]{3}" .                          // planes 4-15
     44        "|\xF4[\x80-\x8F][\x80-\xBF]{2}" .                      // plane 16
     45        "/";
     46  $bad_unicode = preg_replace($re, "", $comment_author);
     47  if( strlen($bad_unicode) != 0 ) {
     48    wp_die( __('Sorry, I cannot let you post that.  You have entered invalid Unicode characters in your Name that could break my site') );
     49  }
     50  $bad_unicode = preg_replace($re, "", $comment_author_email);
     51  if( strlen($bad_unicode) != 0 ) {
     52    wp_die( __('Sorry, I cannot let you post that.  You have entered invalid Unicode characters in your Mail Address that could break my site') );
     53  }
     54  $bad_unicode = preg_replace($re, "", $comment_author_url);
     55  if( strlen($bad_unicode) != 0 ) {
     56    wp_die( __('Sorry, I cannot let you post that.  You have entered invalid Unicode characters in your Website URL that could break my site') );
     57  }
     58  $bad_unicode = preg_replace($re, "", $comment_content);
     59  if( strlen($bad_unicode) != 0 ) {
     60    wp_die( __('Sorry, I cannot let you post that.  You have entered invalid Unicode characters in your Comment that could break my site') );
     61  }
     62
    3263// If the user is logged in
    3364$user = wp_get_current_user();
    3465if ( $user->ID ) {