WordPress.org

Make WordPress Core

Changeset 39157


Ignore:
Timestamp:
11/08/2016 06:35:51 AM (4 years ago)
Author:
rmccue
Message:

REST API: Respect unfiltered_html for HTML comment fields.

Same as [39155], but for comments, natch.

Props jnylen0.
Fixes #38704, see #38609.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php

    r39126 r39157  
    521521        $prepared_comment = apply_filters( 'rest_pre_insert_comment', $prepared_comment, $request );
    522522
    523         $comment_id = wp_insert_comment( $prepared_comment );
     523        $comment_id = wp_insert_comment( wp_filter_comment( wp_slash( (array) $prepared_comment ) ) );
    524524
    525525        if ( ! $comment_id ) {
     
    645645            }
    646646
    647             $updated = wp_update_comment( $prepared_args );
     647            $updated = wp_update_comment( wp_slash( (array) $prepared_args ) );
    648648
    649649            if ( 0 === $updated ) {
     
    996996         */
    997997        if ( isset( $request['content'] ) && is_string( $request['content'] ) ) {
    998             $prepared_comment['comment_content'] = wp_filter_kses( $request['content'] );
     998            $prepared_comment['comment_content'] = $request['content'];
    999999        } elseif ( isset( $request['content']['raw'] ) && is_string( $request['content']['raw'] ) ) {
    1000             $prepared_comment['comment_content'] = wp_filter_kses( $request['content']['raw'] );
     1000            $prepared_comment['comment_content'] = $request['content']['raw'];
    10011001        }
    10021002
  • trunk/tests/phpunit/tests/rest-api/rest-comments-controller.php

    r39126 r39157  
    1111  */
    1212class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase {
    13 
     13    protected static $superadmin_id;
    1414    protected static $admin_id;
     15    protected static $editor_id;
    1516    protected static $subscriber_id;
    1617    protected static $author_id;
     
    2627
    2728    public static function wpSetUpBeforeClass( $factory ) {
     29        self::$superadmin_id = $factory->user->create( array(
     30            'role'       => 'administrator',
     31            'user_login' => 'superadmin',
     32        ) );
    2833        self::$admin_id = $factory->user->create( array(
    2934            'role' => 'administrator',
     35        ) );
     36        self::$editor_id = $factory->user->create( array(
     37            'role' => 'editor',
    3038        ) );
    3139        self::$subscriber_id = $factory->user->create( array(
     
    8088        parent::setUp();
    8189        $this->endpoint = new WP_REST_Comments_Controller;
     90        if ( is_multisite() ) {
     91            update_site_option( 'site_admins', array( 'superadmin' ) );
     92        }
    8293    }
    8394
     
    18811892    }
    18821893
     1894    public function verify_comment_roundtrip( $input = array(), $expected_output = array() ) {
     1895        // Create the comment
     1896        $request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
     1897        $request->set_param( 'author_email', 'cbg@androidsdungeon.com' );
     1898        $request->set_param( 'post', self::$post_id );
     1899        foreach ( $input as $name => $value ) {
     1900            $request->set_param( $name, $value );
     1901        }
     1902        $response = $this->server->dispatch( $request );
     1903        $this->assertEquals( 201, $response->get_status() );
     1904        $actual_output = $response->get_data();
     1905
     1906        // Compare expected API output to actual API output
     1907        $this->assertInternalType( 'array', $actual_output['content'] );
     1908        $this->assertArrayHasKey( 'raw', $actual_output['content'] );
     1909        $this->assertEquals( $expected_output['content']['raw']     , $actual_output['content']['raw'] );
     1910        $this->assertEquals( $expected_output['content']['rendered'], trim( $actual_output['content']['rendered'] ) );
     1911        $this->assertEquals( $expected_output['author_name']        , $actual_output['author_name'] );
     1912        $this->assertEquals( $expected_output['author_user_agent']  , $actual_output['author_user_agent'] );
     1913
     1914        // Compare expected API output to WP internal values
     1915        $comment = get_comment( $actual_output['id'] );
     1916        $this->assertEquals( $expected_output['content']['raw']   , $comment->comment_content );
     1917        $this->assertEquals( $expected_output['author_name']      , $comment->comment_author );
     1918        $this->assertEquals( $expected_output['author_user_agent'], $comment->comment_agent );
     1919
     1920        // Update the comment
     1921        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', $actual_output['id'] ) );
     1922        foreach ( $input as $name => $value ) {
     1923            $request->set_param( $name, $value );
     1924        }
     1925        // FIXME at least one value must change, or update fails
     1926        // See https://core.trac.wordpress.org/ticket/38700
     1927        $request->set_param( 'author_ip', '127.0.0.2' );
     1928        $response = $this->server->dispatch( $request );
     1929        $this->assertEquals( 200, $response->get_status() );
     1930        $actual_output = $response->get_data();
     1931
     1932        // Compare expected API output to actual API output
     1933        $this->assertEquals( $expected_output['content']['raw']     , $actual_output['content']['raw'] );
     1934        $this->assertEquals( $expected_output['content']['rendered'], trim( $actual_output['content']['rendered'] ) );
     1935        $this->assertEquals( $expected_output['author_name']        , $actual_output['author_name'] );
     1936        $this->assertEquals( $expected_output['author_user_agent']  , $actual_output['author_user_agent'] );
     1937
     1938        // Compare expected API output to WP internal values
     1939        $comment = get_comment( $actual_output['id'] );
     1940        $this->assertEquals( $expected_output['content']['raw']   , $comment->comment_content );
     1941        $this->assertEquals( $expected_output['author_name']      , $comment->comment_author );
     1942        $this->assertEquals( $expected_output['author_user_agent'], $comment->comment_agent );
     1943    }
     1944
     1945    public function test_comment_roundtrip_as_editor() {
     1946        wp_set_current_user( self::$editor_id );
     1947        $this->assertEquals( ! is_multisite(), current_user_can( 'unfiltered_html' ) );
     1948        $this->verify_comment_roundtrip( array(
     1949            'content'           => '\o/ ¯\_(ツ)_/¯',
     1950            'author_name'       => '\o/ ¯\_(ツ)_/¯',
     1951            'author_user_agent' => '\o/ ¯\_(ツ)_/¯',
     1952        ), array(
     1953            'content' => array(
     1954                'raw'      => '\o/ ¯\_(ツ)_/¯',
     1955                'rendered' => '<p>\o/ ¯\_(ツ)_/¯</p>',
     1956            ),
     1957            'author_name'       => '\o/ ¯\_(ツ)_/¯',
     1958            'author_user_agent' => '\o/ ¯\_(ツ)_/¯',
     1959        ) );
     1960    }
     1961
     1962    public function test_comment_roundtrip_as_editor_unfiltered_html() {
     1963        wp_set_current_user( self::$editor_id );
     1964        if ( is_multisite() ) {
     1965            $this->assertFalse( current_user_can( 'unfiltered_html' ) );
     1966            $this->verify_comment_roundtrip( array(
     1967                'content'           => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     1968                'author_name'       => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     1969                'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     1970            ), array(
     1971                'content' => array(
     1972                    'raw'      => 'div <strong>strong</strong> oh noes',
     1973                    'rendered' => '<p>div <strong>strong</strong> oh noes</p>',
     1974                ),
     1975                'author_name'       => 'div strong',
     1976                'author_user_agent' => 'div strong',
     1977            ) );
     1978        } else {
     1979            $this->assertTrue( current_user_can( 'unfiltered_html' ) );
     1980            $this->verify_comment_roundtrip( array(
     1981                'content'           => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     1982                'author_name'       => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     1983                'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     1984            ), array(
     1985                'content' => array(
     1986                    'raw'      => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     1987                    'rendered' => "<div>div</div>\n<p> <strong>strong</strong> <script>oh noes</script></p>",
     1988                ),
     1989                'author_name'       => 'div strong',
     1990                'author_user_agent' => 'div strong',
     1991            ) );
     1992        }
     1993    }
     1994
     1995    public function test_comment_roundtrip_as_superadmin() {
     1996        wp_set_current_user( self::$superadmin_id );
     1997        $this->assertTrue( current_user_can( 'unfiltered_html' ) );
     1998        $this->verify_comment_roundtrip( array(
     1999            'content'           => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
     2000            'author_name'       => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
     2001            'author_user_agent' => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
     2002        ), array(
     2003            'content' => array(
     2004                'raw'      => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
     2005                'rendered' => '<p>\\\&#038;\\\ &amp; &invalid; < &lt; &amp;lt;' . "\n</p>",
     2006            ),
     2007            'author_name'       => '\\\&amp;\\\ &amp; &amp;invalid; &lt; &lt; &amp;lt;',
     2008            'author_user_agent' => '\\\&\\\ &amp; &invalid; &lt; &lt; &amp;lt;',
     2009        ) );
     2010    }
     2011
     2012    public function test_comment_roundtrip_as_superadmin_unfiltered_html() {
     2013        wp_set_current_user( self::$superadmin_id );
     2014        $this->assertTrue( current_user_can( 'unfiltered_html' ) );
     2015        $this->verify_comment_roundtrip( array(
     2016            'content'           => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     2017            'author_name'       => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     2018            'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     2019        ), array(
     2020            'content' => array(
     2021                'raw'      => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     2022                'rendered' => "<div>div</div>\n<p> <strong>strong</strong> <script>oh noes</script></p>",
     2023            ),
     2024            'author_name'       => 'div strong',
     2025            'author_user_agent' => 'div strong',
     2026        ) );
     2027    }
     2028
    18832029    public function test_delete_item() {
    18842030        wp_set_current_user( self::$admin_id );
Note: See TracChangeset for help on using the changeset viewer.