- Timestamp:
- 10/17/2022 11:29:55 AM (2 years ago)
- Location:
- trunk
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/comment.php
r54489 r54527 2500 2500 } 2501 2501 2502 $filter_comment = false; 2503 if ( ! has_filter( 'pre_comment_content', 'wp_filter_kses' ) ) { 2504 $filter_comment = ! user_can( isset( $comment['user_id'] ) ? $comment['user_id'] : 0, 'unfiltered_html' ); 2505 } 2506 2507 if ( $filter_comment ) { 2508 add_filter( 'pre_comment_content', 'wp_filter_kses' ); 2509 } 2510 2502 2511 // Escape data pulled from DB. 2503 2512 $comment = wp_slash( $comment ); … … 2509 2518 2510 2519 $commentarr = wp_filter_comment( $commentarr ); 2520 2521 if ( $filter_comment ) { 2522 remove_filter( 'pre_comment_content', 'wp_filter_kses' ); 2523 } 2511 2524 2512 2525 // Now extract the merged array. -
trunk/tests/phpunit/tests/comment.php
r54489 r54527 80 80 $comment = get_comment( $comments[0] ); 81 81 $this->assertEquals( $post2->ID, $comment->comment_post_ID ); 82 } 83 84 public function test_update_comment_from_privileged_user_by_privileged_user() { 85 $admin_id_1 = self::factory()->user->create( array( 'role' => 'administrator' ) ); 86 wp_set_current_user( $admin_id_1 ); 87 88 $comment_id = wp_new_comment( 89 array( 90 'comment_post_ID' => self::$post_id, 91 'comment_author' => 'Author', 92 'comment_author_url' => 'http://example.localhost/', 93 'comment_author_email' => 'test@test.com', 94 'user_id' => $admin_id_1, 95 'comment_content' => 'This is a comment', 96 ) 97 ); 98 99 wp_set_current_user( 0 ); 100 101 $admin_id_2 = self::factory()->user->create( 102 array( 103 'role' => 'administrator', 104 'user_login' => 'test_wp_admin_get', 105 'user_pass' => 'password', 106 'user_email' => 'testadmin@test.com', 107 ) 108 ); 109 110 wp_set_current_user( $admin_id_2 ); 111 112 wp_update_comment( 113 array( 114 'comment_ID' => $comment_id, 115 'comment_content' => 'new comment <img onerror=demo src=x>', 116 ) 117 ); 118 119 $comment = get_comment( $comment_id ); 120 $expected_content = is_multisite() 121 ? 'new comment ' 122 : 'new comment <img onerror=demo src=x>'; 123 124 $this->assertSame( $expected_content, $comment->comment_content ); 125 126 wp_set_current_user( 0 ); 127 } 128 129 public function test_update_comment_from_unprivileged_user_by_privileged_user() { 130 wp_set_current_user( self::$user_id ); 131 132 $comment_id = wp_new_comment( 133 array( 134 'comment_post_ID' => self::$post_id, 135 'comment_author' => 'Author', 136 'comment_author_url' => 'http://example.localhost/', 137 'comment_author_email' => 'test@test.com', 138 'user_id' => self::$user_id, 139 'comment_content' => '<a href="http://example.localhost/something.html">click</a>', 140 ) 141 ); 142 143 wp_set_current_user( 0 ); 144 145 $admin_id = self::factory()->user->create( 146 array( 147 'role' => 'administrator', 148 'user_login' => 'test_wp_admin_get', 149 'user_pass' => 'password', 150 'user_email' => 'testadmin@test.com', 151 ) 152 ); 153 154 wp_set_current_user( $admin_id ); 155 156 wp_update_comment( 157 array( 158 'comment_ID' => $comment_id, 159 'comment_content' => '<a href="http://example.localhost/something.html" disallowed=attribute>click</a>', 160 ) 161 ); 162 163 $comment = get_comment( $comment_id ); 164 $this->assertEquals( '<a href="http://example.localhost/something.html" rel="nofollow ugc">click</a>', $comment->comment_content, 'Comment: ' . $comment->comment_content ); 165 wp_set_current_user( 0 ); 82 166 } 83 167 -
trunk/tests/phpunit/tests/rest-api/rest-comments-controller.php
r54090 r54527 2973 2973 'author_name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', 2974 2974 'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', 2975 'author' => self::$editor_id, 2975 2976 ), 2976 2977 array( … … 2981 2982 'author_name' => 'div strong', 2982 2983 'author_user_agent' => 'div strong', 2984 'author' => self::$editor_id, 2983 2985 ) 2984 2986 ); … … 2990 2992 'author_name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', 2991 2993 'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', 2994 'author' => self::$editor_id, 2992 2995 ), 2993 2996 array( … … 2998 3001 'author_name' => 'div strong', 2999 3002 'author_user_agent' => 'div strong', 3003 'author' => self::$editor_id, 3000 3004 ) 3001 3005 ); … … 3012 3016 'author_name' => '\\\&\\\ & &invalid; < < &lt;', 3013 3017 'author_user_agent' => '\\\&\\\ & &invalid; < < &lt;', 3018 'author' => self::$superadmin_id, 3014 3019 ), 3015 3020 array( … … 3020 3025 'author_name' => '\\\&\\\ & &invalid; < < &lt;', 3021 3026 'author_user_agent' => '\\\&\\\ & &invalid; < < &lt;', 3027 'author' => self::$superadmin_id, 3022 3028 ) 3023 3029 ); … … 3033 3039 'author_name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', 3034 3040 'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', 3041 'author' => self::$superadmin_id, 3035 3042 ), 3036 3043 array( … … 3041 3048 'author_name' => 'div strong', 3042 3049 'author_user_agent' => 'div strong', 3050 'author' => self::$superadmin_id, 3043 3051 ) 3044 3052 );
Note: See TracChangeset
for help on using the changeset viewer.