Make WordPress Core

Changeset 39101


Ignore:
Timestamp:
11/03/2016 01:11:30 AM (7 years ago)
Author:
rachelbaker
Message:

REST API: Return an error when the length of a comment field is too long.

Introduces wp_check_comment_data_max_lengths() which allows both the REST API comments endpoints and wp_handle_comment_submission() to check the length of the comment content, author name, author url, and author email fields against their respective database columns.

Props rachelbaker, mangeshp, salcode, pento.
Fixes #38477.

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/comment.php

    r38925 r39101  
    11231123
    11241124/**
     1125 * Compares the lengths of comment data against the maximum character limits.
     1126 *
     1127 * @since 4.7.0
     1128 *
     1129 * @param array $comment_data Array of arguments for inserting a comment.
     1130 * @return WP_Error|true WP_Error when a comment field exceeds the limit,
     1131 *                       otherwise true.
     1132 */
     1133function wp_check_comment_data_max_lengths( $comment_data ) {
     1134    $max_lengths = wp_get_comment_fields_max_lengths();
     1135
     1136    if ( isset( $comment_data['comment_author'] ) && mb_strlen( $comment_data['comment_author'], '8bit' ) > $max_lengths['comment_author'] ) {
     1137        return new WP_Error( 'comment_author_column_length', __( '<strong>ERROR</strong>: your name is too long.' ), 200 );
     1138    }
     1139
     1140    if ( isset( $comment_data['comment_author_email'] ) && strlen( $comment_data['comment_author_email'] ) > $max_lengths['comment_author_email'] ) {
     1141        return new WP_Error( 'comment_author_email_column_length', __( '<strong>ERROR</strong>: your email address is too long.' ), 200 );
     1142    }
     1143
     1144    if ( isset( $comment_data['comment_author_url'] ) && strlen( $comment_data['comment_author_url'] ) > $max_lengths['comment_author_url'] ) {
     1145        return new WP_Error( 'comment_author_url_column_length', __( '<strong>ERROR</strong>: your url is too long.' ), 200 );
     1146    }
     1147
     1148    if ( isset( $comment_data['comment_content'] ) && mb_strlen( $comment_data['comment_content'], '8bit' ) > $max_lengths['comment_content'] ) {
     1149        return new WP_Error( 'comment_content_column_length', __( '<strong>ERROR</strong>: your comment is too long.' ), 200 );
     1150    }
     1151
     1152    return true;
     1153}
     1154
     1155/**
    11251156 * Does comment contain blacklisted characters or words.
    11261157 *
     
    30333064
    30343065    $comment_type = '';
    3035     $max_lengths = wp_get_comment_fields_max_lengths();
    30363066
    30373067    if ( get_option( 'require_name_email' ) && ! $user->exists() ) {
     
    30433073    }
    30443074
    3045     if ( isset( $comment_author ) && $max_lengths['comment_author'] < mb_strlen( $comment_author, '8bit' ) ) {
    3046         return new WP_Error( 'comment_author_column_length', __( '<strong>ERROR</strong>: your name is too long.' ), 200 );
    3047     }
    3048 
    3049     if ( isset( $comment_author_email ) && $max_lengths['comment_author_email'] < strlen( $comment_author_email ) ) {
    3050         return new WP_Error( 'comment_author_email_column_length', __( '<strong>ERROR</strong>: your email address is too long.' ), 200 );
    3051     }
    3052 
    3053     if ( isset( $comment_author_url ) && $max_lengths['comment_author_url'] < strlen( $comment_author_url ) ) {
    3054         return new WP_Error( 'comment_author_url_column_length', __( '<strong>ERROR</strong>: your url is too long.' ), 200 );
    3055     }
    3056 
    30573075    if ( '' == $comment_content ) {
    30583076        return new WP_Error( 'require_valid_comment', __( '<strong>ERROR</strong>: please type a comment.' ), 200 );
    3059     } elseif ( $max_lengths['comment_content'] < mb_strlen( $comment_content, '8bit' ) ) {
    3060         return new WP_Error( 'comment_content_column_length', __( '<strong>ERROR</strong>: your comment is too long.' ), 200 );
    30613077    }
    30623078
     
    30723088    );
    30733089
     3090    $check_max_lengths = wp_check_comment_data_max_lengths( $commentdata );
     3091    if ( is_wp_error( $check_max_lengths ) ) {
     3092        return $check_max_lengths;
     3093    }
     3094
    30743095    $comment_id = wp_new_comment( wp_slash( $commentdata ), true );
    30753096    if ( is_wp_error( $comment_id ) ) {
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

    r39089 r39101  
    485485        }
    486486
     487        $check_comment_lengths = wp_check_comment_data_max_lengths( $prepared_comment );
     488        if ( is_wp_error( $check_comment_lengths ) ) {
     489            $error_code = $check_comment_lengths->get_error_code();
     490            return new WP_Error( $error_code, __( 'Comment field exceeds maximum length allowed.' ), array( 'status' => 400 ) );
     491        }
     492
    487493        $prepared_comment['comment_approved'] = wp_allow_comment( $prepared_comment, true );
    488494
     
    631637
    632638            $prepared_args['comment_ID'] = $id;
     639
     640            $check_comment_lengths = wp_check_comment_data_max_lengths( $prepared_args );
     641            if ( is_wp_error( $check_comment_lengths ) ) {
     642                $error_code = $check_comment_lengths->get_error_code();
     643                return new WP_Error( $error_code, __( 'Comment field exceeds maximum length allowed.' ), array( 'status' => 400 ) );
     644            }
    633645
    634646            $updated = wp_update_comment( $prepared_args );
  • trunk/tests/phpunit/tests/rest-api/rest-comments-controller.php

    r38975 r39101  
    13531353    }
    13541354
     1355    /**
     1356     * @ticket 38477
     1357     */
     1358    public function test_create_comment_author_name_too_long() {
     1359        wp_set_current_user( 0 );
     1360
     1361        $params = array(
     1362            'post'         => self::$post_id,
     1363            'author_name'  => rand_long_str( 246 ),
     1364            'author_email' => 'murphy@gingivitis.com',
     1365            'author_url'   => 'http://jazz.gingivitis.com',
     1366            'content'      => 'This isn\'t a saxophone. It\'s an umbrella.',
     1367            'date'         => '1995-04-30T10:22:00',
     1368        );
     1369        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
     1370
     1371        $request->add_header( 'content-type', 'application/json' );
     1372        $request->set_body( wp_json_encode( $params ) );
     1373        $response = $this->server->dispatch( $request );
     1374
     1375        $this->assertErrorResponse( 'comment_author_column_length', $response, 400 );
     1376    }
     1377
     1378    /**
     1379     * @ticket 38477
     1380     */
     1381    public function test_create_comment_author_email_too_long() {
     1382        wp_set_current_user( 0 );
     1383
     1384        $params = array(
     1385            'post'         => self::$post_id,
     1386            'author_name'  => 'Bleeding Gums Murphy',
     1387            'author_email' => 'murphy@' . rand_long_str( 190 ) . '.com',
     1388            'author_url'   => 'http://jazz.gingivitis.com',
     1389            'content'      => 'This isn\'t a saxophone. It\'s an umbrella.',
     1390            'date'         => '1995-04-30T10:22:00',
     1391        );
     1392        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
     1393
     1394        $request->add_header( 'content-type', 'application/json' );
     1395        $request->set_body( wp_json_encode( $params ) );
     1396        $response = $this->server->dispatch( $request );
     1397
     1398        $this->assertErrorResponse( 'comment_author_email_column_length', $response, 400 );
     1399    }
     1400
     1401    /**
     1402     * @ticket 38477
     1403     */
     1404    public function test_create_comment_author_url_too_long() {
     1405        wp_set_current_user( 0 );
     1406
     1407        $params = array(
     1408            'post'         => self::$post_id,
     1409            'author_name'  => 'Bleeding Gums Murphy',
     1410            'author_email' => 'murphy@gingivitis.com',
     1411            'author_url'   => 'http://jazz.' . rand_long_str( 185 ) . '.com',
     1412            'content'      => 'This isn\'t a saxophone. It\'s an umbrella.',
     1413            'date'         => '1995-04-30T10:22:00',
     1414        );
     1415        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
     1416
     1417        $request->add_header( 'content-type', 'application/json' );
     1418        $request->set_body( wp_json_encode( $params ) );
     1419        $response = $this->server->dispatch( $request );
     1420
     1421        $this->assertErrorResponse( 'comment_author_url_column_length', $response, 400 );
     1422    }
     1423
     1424    /**
     1425     * @ticket 38477
     1426     */
     1427    public function test_create_comment_content_too_long() {
     1428        wp_set_current_user( 0 );
     1429
     1430        $params = array(
     1431            'post'         => self::$post_id,
     1432            'author_name'  => 'Bleeding Gums Murphy',
     1433            'author_email' => 'murphy@gingivitis.com',
     1434            'author_url'   => 'http://jazz.gingivitis.com',
     1435            'content'      => rand_long_str( 66525 ),
     1436            'date'         => '1995-04-30T10:22:00',
     1437        );
     1438        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
     1439
     1440        $request->add_header( 'content-type', 'application/json' );
     1441        $request->set_body( wp_json_encode( $params ) );
     1442        $response = $this->server->dispatch( $request );
     1443
     1444        $this->assertErrorResponse( 'comment_content_column_length', $response, 400 );
     1445    }
     1446
    13551447    public function test_update_item() {
    13561448        $post_id = $this->factory->post->create();
     
    16081700        $this->assertEquals( 200, $response->get_status() );
    16091701        $this->assertArrayHasKey( 'children', $response->get_links() );
     1702    }
     1703
     1704    /**
     1705     * @ticket 38477
     1706     */
     1707    public function test_update_comment_author_name_too_long() {
     1708        wp_set_current_user( self::$admin_id );
     1709
     1710        $params = array(
     1711            'author_name' => rand_long_str( 246 ),
     1712            'content'     => 'This isn\'t a saxophone. It\'s an umbrella.',
     1713        );
     1714        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) );
     1715
     1716        $request->add_header( 'content-type', 'application/json' );
     1717        $request->set_body( wp_json_encode( $params ) );
     1718        $response = $this->server->dispatch( $request );
     1719
     1720        $this->assertErrorResponse( 'comment_author_column_length', $response, 400 );
     1721    }
     1722
     1723    /**
     1724     * @ticket 38477
     1725     */
     1726    public function test_update_comment_author_email_too_long() {
     1727        wp_set_current_user( self::$admin_id );
     1728
     1729        $params = array(
     1730            'author_email' => 'murphy@' . rand_long_str( 190 ) . '.com',
     1731            'content'      => 'This isn\'t a saxophone. It\'s an umbrella.',
     1732        );
     1733        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) );
     1734
     1735        $request->add_header( 'content-type', 'application/json' );
     1736        $request->set_body( wp_json_encode( $params ) );
     1737        $response = $this->server->dispatch( $request );
     1738
     1739        $this->assertErrorResponse( 'comment_author_email_column_length', $response, 400 );
     1740    }
     1741
     1742    /**
     1743     * @ticket 38477
     1744     */
     1745    public function test_update_comment_author_url_too_long() {
     1746        wp_set_current_user( self::$admin_id );
     1747
     1748        $params = array(
     1749            'author_url' => 'http://jazz.' . rand_long_str( 185 ) . '.com',
     1750            'content'    => 'This isn\'t a saxophone. It\'s an umbrella.',
     1751        );
     1752        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) );
     1753
     1754        $request->add_header( 'content-type', 'application/json' );
     1755        $request->set_body( wp_json_encode( $params ) );
     1756        $response = $this->server->dispatch( $request );
     1757
     1758        $this->assertErrorResponse( 'comment_author_url_column_length', $response, 400 );
     1759    }
     1760
     1761    /**
     1762     * @ticket 38477
     1763     */
     1764    public function test_update_comment_content_too_long() {
     1765        wp_set_current_user( self::$admin_id );
     1766
     1767        $params = array(
     1768            'content' => rand_long_str( 66525 ),
     1769        );
     1770        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) );
     1771
     1772        $request->add_header( 'content-type', 'application/json' );
     1773        $request->set_body( wp_json_encode( $params ) );
     1774        $response = $this->server->dispatch( $request );
     1775
     1776        $this->assertErrorResponse( 'comment_content_column_length', $response, 400 );
    16101777    }
    16111778
Note: See TracChangeset for help on using the changeset viewer.