Make WordPress Core

Changeset 47916


Ignore:
Timestamp:
06/06/2020 09:51:22 AM (4 years ago)
Author:
SergeyBiryukov
Message:

Comments: Ensure that unmoderated comments won't be search indexed.

After a comment is submitted, only allow a brief window where the comment is live on the site.

Props jonkolbert, ayeshrajans, Asif2BD, peterwilsoncc, imath, audrasjb, jonoaldersonwp, whyisjake, SergeyBiryukov.
Merges [47887] and [47889] to the 5.3 branch.
See #49956.

Location:
branches/5.3
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • branches/5.3

  • branches/5.3/src/wp-comments-post.php

    r44659 r47916  
    5757$location = empty( $_POST['redirect_to'] ) ? get_comment_link( $comment ) : $_POST['redirect_to'] . '#comment-' . $comment->comment_ID;
    5858
    59 // Add specific query arguments to display the awaiting moderation message.
    60 if ( 'unapproved' === wp_get_comment_status( $comment ) && ! empty( $comment->comment_author_email ) ) {
     59// If user didn't consent to cookies, add specific query arguments to display the awaiting moderation message.
     60if ( ! $cookies_consent && 'unapproved' === wp_get_comment_status( $comment ) && ! empty( $comment->comment_author_email ) ) {
    6161    $location = add_query_arg(
    6262        array(
  • branches/5.3/src/wp-includes/class-walker-comment.php

    r46391 r47916  
    182182        }
    183183
    184         if ( ( 'pingback' == $comment->comment_type || 'trackback' == $comment->comment_type ) && $args['short_ping'] ) {
     184        if ( 'comment' === $comment->comment_type ) {
     185            add_filter( 'comment_text', array( $this, 'filter_comment_text' ), 40, 2 );
     186        }
     187
     188        if ( ( 'pingback' === $comment->comment_type || 'trackback' === $comment->comment_type ) && $args['short_ping'] ) {
    185189            ob_start();
    186190            $this->ping( $comment, $depth, $args );
     
    195199            $output .= ob_get_clean();
    196200        }
     201
     202        if ( 'comment' === $comment->comment_type ) {
     203            remove_filter( 'comment_text', array( $this, 'filter_comment_text' ), 40, 2 );
     204        }
    197205    }
    198206
     
    246254
    247255    /**
     256     * Filters the comment text.
     257     *
     258     * Removes links from the pending comment's text if the commenter did not consent
     259     * to the comment cookies.
     260     *
     261     * @since 5.4.2
     262     *
     263     * @param string          $comment_text Text of the current comment.
     264     * @param WP_Comment|null $comment      The comment object. Null if not found.
     265     * @return string Filtered text of the current comment.
     266     */
     267    public function filter_comment_text( $comment_text, $comment ) {
     268        $commenter          = wp_get_current_commenter();
     269        $show_pending_links = ! empty( $commenter['comment_author'] );
     270
     271        if ( $comment && '0' == $comment->comment_approved && ! $show_pending_links ) {
     272            $comment_text = wp_kses( $comment_text, array() );
     273        }
     274
     275        return $comment_text;
     276    }
     277
     278    /**
    248279     * Outputs a single comment.
    249280     *
     
    265296        }
    266297
    267         $commenter = wp_get_current_commenter();
     298        $commenter          = wp_get_current_commenter();
     299        $show_pending_links = isset( $commenter['comment_author'] ) && $commenter['comment_author'];
     300
    268301        if ( $commenter['comment_author_email'] ) {
    269302            $moderation_note = __( 'Your comment is awaiting moderation.' );
     
    271304            $moderation_note = __( 'Your comment is awaiting moderation. This is a preview, your comment will be visible after it has been approved.' );
    272305        }
    273 
    274306        ?>
    275307        <<?php echo $tag; ?> <?php comment_class( $this->has_children ? 'parent' : '', $comment ); ?> id="comment-<?php comment_ID(); ?>">
     
    280312            <?php
    281313            if ( 0 != $args['avatar_size'] ) {
    282                 echo get_avatar( $comment, $args['avatar_size'] );}
     314                echo get_avatar( $comment, $args['avatar_size'] );
     315            }
    283316            ?>
    284317            <?php
    285                 printf(
    286                     /* translators: %s: Comment author link. */
    287                     __( '%s <span class="says">says:</span>' ),
    288                     sprintf( '<cite class="fn">%s</cite>', get_comment_author_link( $comment ) )
    289                 );
     318            $comment_author = get_comment_author_link( $comment );
     319
     320            if ( '0' == $comment->comment_approved && ! $show_pending_links ) {
     321                $comment_author = get_comment_author( $comment );
     322            }
     323
     324            printf(
     325                /* translators: %s: Comment author link. */
     326                __( '%s <span class="says">says:</span>' ),
     327                sprintf( '<cite class="fn">%s</cite>', $comment_author )
     328            );
    290329            ?>
    291330        </div>
     
    355394        $tag = ( 'div' === $args['style'] ) ? 'div' : 'li';
    356395
    357         $commenter = wp_get_current_commenter();
     396        $commenter          = wp_get_current_commenter();
     397        $show_pending_links = ! empty( $commenter['comment_author'] );
     398
    358399        if ( $commenter['comment_author_email'] ) {
    359400            $moderation_note = __( 'Your comment is awaiting moderation.' );
     
    361402            $moderation_note = __( 'Your comment is awaiting moderation. This is a preview, your comment will be visible after it has been approved.' );
    362403        }
    363 
    364404        ?>
    365405        <<?php echo $tag; ?> id="comment-<?php comment_ID(); ?>" <?php comment_class( $this->has_children ? 'parent' : '', $comment ); ?>>
     
    373413                        ?>
    374414                        <?php
    375                             printf(
    376                                 /* translators: %s: Comment author link. */
    377                                 __( '%s <span class="says">says:</span>' ),
    378                                 sprintf( '<b class="fn">%s</b>', get_comment_author_link( $comment ) )
    379                             );
     415                        $comment_author = get_comment_author_link( $comment );
     416
     417                        if ( '0' == $comment->comment_approved && ! $show_pending_links ) {
     418                            $comment_author = get_comment_author( $comment );
     419                        }
     420
     421                        printf(
     422                            /* translators: %s: Comment author link. */
     423                            __( '%s <span class="says">says:</span>' ),
     424                            sprintf( '<b class="fn">%s</b>', $comment_author )
     425                        );
    380426                        ?>
    381427                    </div><!-- .comment-author -->
     
    403449
    404450                <?php
    405                 comment_reply_link(
    406                     array_merge(
    407                         $args,
    408                         array(
    409                             'add_below' => 'div-comment',
    410                             'depth'     => $depth,
    411                             'max_depth' => $args['max_depth'],
    412                             'before'    => '<div class="reply">',
    413                             'after'     => '</div>',
     451                if ( '1' == $comment->comment_approved || $show_pending_links ) {
     452                    comment_reply_link(
     453                        array_merge(
     454                            $args,
     455                            array(
     456                                'add_below' => 'div-comment',
     457                                'depth'     => $depth,
     458                                'max_depth' => $args['max_depth'],
     459                                'before'    => '<div class="reply">',
     460                                'after'     => '</div>',
     461                            )
    414462                        )
    415                     )
    416                 );
     463                    );
     464                }
    417465                ?>
    418466            </article><!-- .comment-body -->
  • branches/5.3/src/wp-includes/class-wp-comment-query.php

    r46144 r47916  
    554554                if ( is_numeric( $unapproved_identifier ) ) {
    555555                    $approved_clauses[] = $wpdb->prepare( "( user_id = %d AND comment_approved = '0' )", $unapproved_identifier );
    556 
     556                } else {
    557557                    // Otherwise we match against email addresses.
    558                 } else {
    559                     $approved_clauses[] = $wpdb->prepare( "( comment_author_email = %s AND comment_approved = '0' )", $unapproved_identifier );
     558                    if ( ! empty( $_GET['unapproved'] ) && ! empty( $_GET['moderation-hash'] ) ) {
     559                        // Only include requested comment.
     560                        $approved_clauses[] = $wpdb->prepare( "( comment_author_email = %s AND comment_approved = '0' AND comment_ID = %d )", $unapproved_identifier, (int) $_GET['unapproved'] );
     561                    } else {
     562                        // Include all of the author's unapproved comments.
     563                        $approved_clauses[] = $wpdb->prepare( "( comment_author_email = %s AND comment_approved = '0' )", $unapproved_identifier );
     564                    }
    560565                }
    561566            }
  • branches/5.3/src/wp-includes/class-wp.php

    r46474 r47916  
    404404        if ( is_user_logged_in() ) {
    405405            $headers = array_merge( $headers, wp_get_nocache_headers() );
     406        } elseif ( ! empty( $_GET['unapproved'] ) && ! empty( $_GET['moderation-hash'] ) ) {
     407            // Unmoderated comments are only visible for one minute via the moderation hash.
     408            $headers['Expires']       = gmdate( 'D, d M Y H:i:s', time() + MINUTE_IN_SECONDS );
     409            $headers['Cache-Control'] = 'max-age=60, must-revalidate';
    406410        }
    407411        if ( ! empty( $this->query_vars['error'] ) ) {
  • branches/5.3/src/wp-includes/comment-template.php

    r46886 r47916  
    998998     *
    999999     * @param string          $comment_text Text of the current comment.
    1000      * @param WP_Comment|null $comment      The comment object.
     1000     * @param WP_Comment|null $comment      The comment object. Null if not found.
    10011001     * @param array           $args         An array of arguments.
    10021002     */
  • branches/5.3/src/wp-includes/comment.php

    r46427 r47916  
    18321832
    18331833        if ( $comment && hash_equals( $_GET['moderation-hash'], wp_hash( $comment->comment_date_gmt ) ) ) {
    1834             $commenter_email = $comment->comment_author_email;
     1834            // The comment will only be viewable by the comment author for 1 minute.
     1835            $comment_preview_expires = strtotime( $comment->comment_date_gmt . '+1 minute' );
     1836
     1837            if ( time() < $comment_preview_expires ) {
     1838                $commenter_email = $comment->comment_author_email;
     1839            }
    18351840        }
    18361841    }
Note: See TracChangeset for help on using the changeset viewer.