Make WordPress Core


Ignore:
Timestamp:
07/13/2016 01:47:49 PM (8 years ago)
Author:
rachelbaker
Message:

Comments: Strip html tags from comment content before blacklist_keys comparison.

Use wp_kses() to clean comment_content for preg_match against the blacklist_keys. Also includes some initial unit tests for wp_blacklist_check().
Previously, if a blacklisted key was used in comment_content split by an html tag the regex in wp_blacklist_check() would not find a match. Example: Where "springfield" was a blacklisted word, if the content of a comment included spring<i>field</i>" wp_blacklist_check()` would not return true.

Props cfinke.
Fixes #37208.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/comment.php

    r37985 r38047  
    10561056    if ( '' == $mod_keys )
    10571057        return false; // If moderation keys are empty
     1058
     1059    // Ensure HTML tags are not being used to bypass the blacklist.
     1060    $comment_without_html = wp_kses( $comment, array() );
     1061
    10581062    $words = explode("\n", $mod_keys );
    10591063
     
    10731077            || preg_match($pattern, $email)
    10741078            || preg_match($pattern, $url)
    1075             || preg_match($pattern, $comment)
     1079            || preg_match($pattern, $comment_without_html)
    10761080            || preg_match($pattern, $user_ip)
    10771081            || preg_match($pattern, $user_agent)
Note: See TracChangeset for help on using the changeset viewer.