Make WordPress Core

Changeset 34274


Ignore:
Timestamp:
09/17/2015 10:21:06 PM (9 years ago)
Author:
wonderboymusic
Message:

In wp-comments-post.php, sanity check a few of the comment inputs that are expected to be a string beford calling string-only functions on them.

Props Kloon.
Fixes #23416.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-comments-post.php

    r34042 r34274  
    9090}
    9191
    92 $comment_author       = ( isset($_POST['author']) )  ? trim(strip_tags($_POST['author'])) : null;
    93 $comment_author_email = ( isset($_POST['email']) )   ? trim($_POST['email']) : null;
    94 $comment_author_url   = ( isset($_POST['url']) )     ? trim($_POST['url']) : null;
    95 $comment_content      = ( isset($_POST['comment']) ) ? trim($_POST['comment']) : null;
     92$comment_author       = ( isset( $_POST['author'] ) && is_string( $_POST['author'] ) ) ? trim( strip_tags( $_POST['author'] ) ) : null;
     93$comment_author_email = ( isset( $_POST['email'] ) && is_email( $_POST['email'] ) ) ? trim( $_POST['email'] ) : null;
     94$comment_author_url   = ( isset( $_POST['url'] ) && is_string( $_POST['url'] ) ) ? trim( $_POST['url'] ) : null;
     95$comment_content      = ( isset( $_POST['comment'] ) && is_string( $_POST['comment'] ) ) ? trim( $_POST['comment'] ) : null;
    9696
    9797// If the user is logged in
Note: See TracChangeset for help on using the changeset viewer.