WordPress.org

Make WordPress Core

Changeset 36272


Ignore:
Timestamp:
01/13/2016 01:24:46 AM (4 years ago)
Author:
rachelbaker
Message:

Comments: Restrict the maximum characters for input fields within the comments template.

Added hardcoded maxlength attributes on the author, author_email, author_url, and comment_field input markup. These can be modified via the comment_form_defaults filter. Added logic in wp_handle_comment_submission() to return a WP_Error when the comment_author, comment_author_url, or comment_content values exceed the max length of their columns. Introduces wp_get_comment_column_max_length() which returns the max column length for a given column name, and is filterable. Unit tests included for the error conditions in wp_handle_comment_submission()

Fixes #10377.

Props westonruter rachelbaker.

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/comment-template.php

    r36256 r36272  
    21002100    $fields   =  array(
    21012101        'author' => '<p class="comment-form-author">' . '<label for="author">' . __( 'Name' ) . ( $req ? ' <span class="required">*</span>' : '' ) . '</label> ' .
    2102                     '<input id="author" name="author" type="text" value="' . esc_attr( $commenter['comment_author'] ) . '" size="30"' . $aria_req . $html_req . ' /></p>',
     2102                    '<input id="author" name="author" type="text" value="' . esc_attr( $commenter['comment_author'] ) . '" size="30" maxlength="245"' . $aria_req . $html_req . ' /></p>',
    21032103        'email'  => '<p class="comment-form-email"><label for="email">' . __( 'Email' ) . ( $req ? ' <span class="required">*</span>' : '' ) . '</label> ' .
    2104                     '<input id="email" name="email" ' . ( $html5 ? 'type="email"' : 'type="text"' ) . ' value="' . esc_attr(  $commenter['comment_author_email'] ) . '" size="30" aria-describedby="email-notes"' . $aria_req . $html_req  . ' /></p>',
     2104                    '<input id="email" name="email" ' . ( $html5 ? 'type="email"' : 'type="text"' ) . ' value="' . esc_attr(  $commenter['comment_author_email'] ) . '" size="30" maxlength="100" aria-describedby="email-notes"' . $aria_req . $html_req  . ' /></p>',
    21052105        'url'    => '<p class="comment-form-url"><label for="url">' . __( 'Website' ) . '</label> ' .
    2106                     '<input id="url" name="url" ' . ( $html5 ? 'type="url"' : 'type="text"' ) . ' value="' . esc_attr( $commenter['comment_author_url'] ) . '" size="30" /></p>',
     2106                    '<input id="url" name="url" ' . ( $html5 ? 'type="url"' : 'type="text"' ) . ' value="' . esc_attr( $commenter['comment_author_url'] ) . '" size="30" maxlength="200" /></p>',
    21072107    );
    21082108
     
    21192119    $defaults = array(
    21202120        'fields'               => $fields,
    2121         'comment_field'        => '<p class="comment-form-comment"><label for="comment">' . _x( 'Comment', 'noun' ) . '</label> <textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" required="required"></textarea></p>',
     2121        'comment_field'        => '<p class="comment-form-comment"><label for="comment">' . _x( 'Comment', 'noun' ) . '</label> <textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" aria-required="true" required="required"></textarea></p>',
    21222122        /** This filter is documented in wp-includes/link-template.php */
    21232123        'must_log_in'          => '<p class="must-log-in">' . sprintf( __( 'You must be <a href="%s">logged in</a> to post a comment.' ), wp_login_url( apply_filters( 'the_permalink', get_permalink( $post_id ) ) ) ) . '</p>',
  • trunk/src/wp-includes/comment.php

    r36215 r36272  
    949949
    950950/**
     951 * Calculate the maximum character length of a column from the comments table.
     952 *
     953 * @since 4.5.0
     954 *
     955 * @global wpdb $wpdb WordPress database abstraction object.
     956 *
     957 * @param string $column Name of a column in the comments table.
     958 * @return int Maximum column character length.
     959 */
     960function wp_get_comment_column_max_length( $column ) {
     961    global $wpdb;
     962
     963    $col_length = $wpdb->get_col_length( $wpdb->comments, $column );
     964    if ( ! is_array( $col_length ) && (int) $col_length > 0 ) {
     965        $max_length = (int) $col_length;
     966    } elseif ( is_array( $col_length ) && isset( $col_length['length'] ) && intval( $col_length['length'] ) > 0 ) {
     967        $max_length = (int) $col_length['length'];
     968    } else {
     969        $max_length = 255;
     970    }
     971
     972    if ( ! empty( $col_length['type'] ) && 'byte' === $col_length['type'] ) {
     973        $max_length = $max_length - 10;
     974    }
     975
     976    /**
     977     * Filters the calculated length for a given column of the comments table.
     978     *
     979     * @since 4.5.0
     980     *
     981     * @param int    $max_length Maximum column character length.
     982     * @param string $column     Column name.
     983     */
     984    return apply_filters( 'wp_get_comment_column_max_length', $max_length, $column );
     985}
     986
     987/**
    951988 * Does comment contain blacklisted characters or words.
    952989 *
     
    27792816    }
    27802817
     2818    if ( isset( $comment_author ) && wp_get_comment_column_max_length( 'comment_author' ) < mb_strlen( $comment_author, '8bit' ) ) {
     2819        return new WP_Error( 'comment_author_column_length', __( '<strong>ERROR</strong>: your name is too long.' ), 200 );
     2820    }
     2821
     2822    if ( isset( $comment_author_email ) && wp_get_comment_column_max_length( 'comment_author_email' ) < strlen( $comment_author_email ) ) {
     2823        return new WP_Error( 'comment_author_email_column_length', __( '<strong>ERROR</strong>: your email address is too long.' ), 200 );
     2824    }
     2825
     2826    if ( isset( $comment_author_url ) && wp_get_comment_column_max_length( 'comment_author_url' ) < strlen( $comment_author_url ) ) {
     2827        return new WP_Error( 'comment_author_url_column_length', __( '<strong>ERROR</strong>: your url is too long.' ), 200 );
     2828    }
     2829
    27812830    if ( '' == $comment_content ) {
    27822831        return new WP_Error( 'require_valid_comment', __( '<strong>ERROR</strong>: please type a comment.' ), 200 );
     2832    } elseif ( wp_get_comment_column_max_length( 'comment_content' ) < mb_strlen( $comment_content, '8bit' ) ) {
     2833        return new WP_Error( 'comment_content_column_length', __( '<strong>ERROR</strong>: your comment is too long.' ), 200 );
    27832834    }
    27842835
  • trunk/tests/phpunit/includes/utils.php

    r36243 r36272  
    55function rand_str($len=32) {
    66    return substr(md5(uniqid(rand())), 0, $len);
     7}
     8
     9function rand_long_str( $length ) {
     10    $chars = 'abcdefghijklmnopqrstuvwxyz';
     11    $string = '';
     12
     13    for ( $i = 0; $i < $length; $i++ ) {
     14        $rand = rand( 0, strlen( $chars ) - 1 );
     15        $string .= substr( $chars, $rand, 1 );
     16    }
     17
     18    return $string;
    719}
    820
  • trunk/tests/phpunit/tests/comment-submission.php

    r36038 r36272  
    591591        $this->assertSame( $error, $comment->get_error_code() );
    592592
     593    }
     594
     595    /**
     596     * @ticket 10377
     597     */
     598    public function test_submitting_comment_with_content_too_long_returns_error() {
     599        $error = 'comment_content_column_length';
     600
     601        $post = self::factory()->post->create_and_get();
     602
     603        $data = array(
     604            'comment_post_ID' => $post->ID,
     605            'comment'         => rand_long_str( 65536 ),
     606            'author'          => 'Comment Author',
     607            'email'           => 'comment@example.org',
     608        );
     609        $comment = wp_handle_comment_submission( $data );
     610
     611        $this->assertWPError( $comment );
     612        $this->assertSame( $error, $comment->get_error_code() );
     613    }
     614
     615    /**
     616     * @ticket 10377
     617     */
     618    public function test_submitting_comment_with_author_too_long_returns_error() {
     619        $error = 'comment_author_column_length';
     620
     621        $post = self::factory()->post->create_and_get();
     622
     623        $data = array(
     624            'comment_post_ID' => $post->ID,
     625            'comment'         => rand_str(),
     626            'author'          => rand_long_str( 255 ),
     627            'email'           => 'comment@example.org',
     628        );
     629        $comment = wp_handle_comment_submission( $data );
     630
     631        $this->assertWPError( $comment );
     632        $this->assertSame( $error, $comment->get_error_code() );
     633    }
     634
     635    /**
     636     * @ticket 10377
     637     */
     638    public function test_submitting_comment_with_email_too_long_returns_error() {
     639        $error = 'comment_author_email_column_length';
     640
     641        $post = self::factory()->post->create_and_get();
     642
     643        $data = array(
     644            'comment_post_ID' => $post->ID,
     645            'comment'         => rand_str(),
     646            'author'          => 'Comment Author',
     647            'email'           => rand_long_str( 90 ) . '@example.com',
     648        );
     649        $comment = wp_handle_comment_submission( $data );
     650
     651        $this->assertWPError( $comment );
     652        $this->assertSame( $error, $comment->get_error_code() );
     653    }
     654
     655    /**
     656     * @ticket 10377
     657     */
     658    public function test_submitting_comment_with_url_too_long_returns_error() {
     659        $error = 'comment_author_url_column_length';
     660
     661        $post = self::factory()->post->create_and_get();
     662        $data = array(
     663            'comment_post_ID' => $post->ID,
     664            'comment'         => rand_str(),
     665            'author'          => 'Comment Author',
     666            'email'           => 'comment@example.org',
     667            'url'             => rand_long_str( 201 ),
     668        );
     669        $comment = wp_handle_comment_submission( $data );
     670
     671        $this->assertWPError( $comment );
     672        $this->assertSame( $error, $comment->get_error_code() );
    593673    }
    594674
Note: See TracChangeset for help on using the changeset viewer.