Changeset 3574

Timestamp:

02/28/2006 04:22:24 AM (19 years ago)

Author:

ryan

Message:

Strip all html from comment author name, email, and url.

Location:

trunk

Files:

• wp-comments-post.php (modified) (1 diff)
• wp-includes/kses.php (modified) (2 diffs)

trunk/wp-comments-post.php

@@ -49 +49 @@
 $commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_email', 'comment_author_url', 'comment_content', 'comment_type', 'user_ID');
 
-wp_new_comment( $commentdata );
+$comment_id = wp_new_comment( $commentdata );
 
+$comment = get_comment($comment_id);
 if ( !$user->ID ) :
-    setcookie('comment_author_' . COOKIEHASH, stripslashes($comment_author), time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
-    setcookie('comment_author_email_' . COOKIEHASH, stripslashes($comment_author_email), time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
-    setcookie('comment_author_url_' . COOKIEHASH, stripslashes(clean_url($comment_author_url)), time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
+    setcookie('comment_author_' . COOKIEHASH, $comment->comment_author, time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
+    setcookie('comment_author_email_' . COOKIEHASH, $comment->comment_author_email, time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
+    setcookie('comment_author_url_' . COOKIEHASH, clean_url($comment->$comment_author_url), time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
 endif;
 

trunk/wp-includes/kses.php

@@ -513 +513 @@
 function wp_filter_kses($data) {
     global $allowedtags;
-    return wp_kses($data, $allowedtags);
+    return addslashes( wp_kses(stripslashes( $data ), $allowedtags) );
 }
 
@@ -521 +521 @@
 }
 
+function wp_filter_nohtml_kses($data) {
+    return addslashes ( wp_kses(stripslashes( $data ), array()) );
+}
+
 function kses_init_filters() {
-        add_filter('pre_comment_author', 'wp_filter_kses');
-        add_filter('pre_comment_content', 'wp_filter_kses');
-        add_filter('content_save_pre', 'wp_filter_post_kses');
-        add_filter('title_save_pre', 'wp_filter_kses');
+    // Normal filtering.
+    add_filter('pre_comment_content', 'wp_filter_kses');
+    add_filter('title_save_pre', 'wp_filter_kses');
+
+    // Post filtering
+    add_filter('content_save_pre', 'wp_filter_post_kses');
+
+    // Strip all html.
+    add_filter('pre_comment_author_name', 'wp_filter_nohtml_kses');
+    add_filter('pre_comment_author_url', 'wp_filter_nohtml_kses');
+    add_filter('pre_comment_author_email', 'wp_filter_nohtml_kses');
+    add_filter('pre_comment_user_ip', 'wp_filter_nohtml_kses');
+    add_filter('pre_comment_user_agent', 'wp_filter_nohtml_kses');
+    add_filter('pre_user_id', 'wp_filter_nohtml_kses');
+}
+
+function kses_remove_filters() {
+    // Normal filtering.
+    remove_filter('pre_comment_content', 'wp_filter_kses');
+    remove_filter('title_save_pre', 'wp_filter_kses');
+
+    // Post filtering
+    remove_filter('content_save_pre', 'wp_filter_post_kses');
+
+    // Strip all html.
+    remove_filter('pre_comment_author_name', 'wp_filter_nohtml_kses');
+    remove_filter('pre_comment_author_url', 'wp_filter_nohtml_kses');
+    remove_filter('pre_comment_author_email', 'wp_filter_nohtml_kses');
+    remove_filter('pre_comment_user_ip', 'wp_filter_nohtml_kses');
+    remove_filter('pre_comment_user_agent', 'wp_filter_nohtml_kses');
+    remove_filter('pre_user_id', 'wp_filter_nohtml_kses');
 }
 
 function kses_init() {
-    remove_filter('pre_comment_author', 'wp_filter_kses');
-    remove_filter('pre_comment_content', 'wp_filter_kses');
-    remove_filter('content_save_pre', 'wp_filter_post_kses');
-    remove_filter('title_save_pre', 'wp_filter_kses');
+    kses_remove_filters();
 
     if (current_user_can('unfiltered_html') == false)
         kses_init_filters();
 }
+
 add_action('init', 'kses_init');
 add_action('set_current_user', 'kses_init');