Changeset 54537 for branches/6.0
- Timestamp:
- 10/17/2022 12:31:51 PM (2 years ago)
- Location:
- branches/6.0
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/6.0
-
branches/6.0/src/wp-includes/comment.php
r53299 r54537 2465 2465 } 2466 2466 2467 $filter_comment = false; 2468 if ( ! has_filter( 'pre_comment_content', 'wp_filter_kses' ) ) { 2469 $filter_comment = ! user_can( isset( $comment['user_id'] ) ? $comment['user_id'] : 0, 'unfiltered_html' ); 2470 } 2471 2472 if ( $filter_comment ) { 2473 add_filter( 'pre_comment_content', 'wp_filter_kses' ); 2474 } 2475 2467 2476 // Escape data pulled from DB. 2468 2477 $comment = wp_slash( $comment ); … … 2474 2483 2475 2484 $commentarr = wp_filter_comment( $commentarr ); 2485 2486 if ( $filter_comment ) { 2487 remove_filter( 'pre_comment_content', 'wp_filter_kses' ); 2488 } 2476 2489 2477 2490 // Now extract the merged array. -
branches/6.0/tests/phpunit/tests/comment.php
r52010 r54537 75 75 $comment = get_comment( $comments[0] ); 76 76 $this->assertEquals( $post2->ID, $comment->comment_post_ID ); 77 } 78 79 public function test_update_comment_from_privileged_user_by_privileged_user() { 80 $admin_id_1 = self::factory()->user->create( array( 'role' => 'administrator' ) ); 81 wp_set_current_user( $admin_id_1 ); 82 83 $comment_id = wp_new_comment( 84 array( 85 'comment_post_ID' => self::$post_id, 86 'comment_author' => 'Author', 87 'comment_author_url' => 'http://example.localhost/', 88 'comment_author_email' => 'test@test.com', 89 'user_id' => $admin_id_1, 90 'comment_content' => 'This is a comment', 91 ) 92 ); 93 94 wp_set_current_user( 0 ); 95 96 $admin_id_2 = self::factory()->user->create( 97 array( 98 'role' => 'administrator', 99 'user_login' => 'test_wp_admin_get', 100 'user_pass' => 'password', 101 'user_email' => 'testadmin@test.com', 102 ) 103 ); 104 105 wp_set_current_user( $admin_id_2 ); 106 107 wp_update_comment( 108 array( 109 'comment_ID' => $comment_id, 110 'comment_content' => 'new comment <img onerror=demo src=x>', 111 ) 112 ); 113 114 $comment = get_comment( $comment_id ); 115 $expected_content = is_multisite() 116 ? 'new comment ' 117 : 'new comment <img onerror=demo src=x>'; 118 119 $this->assertSame( $expected_content, $comment->comment_content ); 120 121 wp_set_current_user( 0 ); 122 } 123 124 public function test_update_comment_from_unprivileged_user_by_privileged_user() { 125 wp_set_current_user( self::$user_id ); 126 127 $comment_id = wp_new_comment( 128 array( 129 'comment_post_ID' => self::$post_id, 130 'comment_author' => 'Author', 131 'comment_author_url' => 'http://example.localhost/', 132 'comment_author_email' => 'test@test.com', 133 'user_id' => self::$user_id, 134 'comment_content' => '<a href="http://example.localhost/something.html">click</a>', 135 ) 136 ); 137 138 wp_set_current_user( 0 ); 139 140 $admin_id = self::factory()->user->create( 141 array( 142 'role' => 'administrator', 143 'user_login' => 'test_wp_admin_get', 144 'user_pass' => 'password', 145 'user_email' => 'testadmin@test.com', 146 ) 147 ); 148 149 wp_set_current_user( $admin_id ); 150 151 wp_update_comment( 152 array( 153 'comment_ID' => $comment_id, 154 'comment_content' => '<a href="http://example.localhost/something.html" disallowed=attribute>click</a>', 155 ) 156 ); 157 158 $comment = get_comment( $comment_id ); 159 $this->assertEquals( '<a href="http://example.localhost/something.html" rel="nofollow ugc">click</a>', $comment->comment_content, 'Comment: ' . $comment->comment_content ); 160 wp_set_current_user( 0 ); 77 161 } 78 162 -
branches/6.0/tests/phpunit/tests/rest-api/rest-comments-controller.php
r52389 r54537 2973 2973 'author_name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', 2974 2974 'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', 2975 'author' => self::$editor_id, 2975 2976 ), 2976 2977 array( … … 2981 2982 'author_name' => 'div strong', 2982 2983 'author_user_agent' => 'div strong', 2984 'author' => self::$editor_id, 2983 2985 ) 2984 2986 ); … … 2990 2992 'author_name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', 2991 2993 'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', 2994 'author' => self::$editor_id, 2992 2995 ), 2993 2996 array( … … 2998 3001 'author_name' => 'div strong', 2999 3002 'author_user_agent' => 'div strong', 3003 'author' => self::$editor_id, 3000 3004 ) 3001 3005 ); … … 3012 3016 'author_name' => '\\\&\\\ & &invalid; < < &lt;', 3013 3017 'author_user_agent' => '\\\&\\\ & &invalid; < < &lt;', 3018 'author' => self::$superadmin_id, 3014 3019 ), 3015 3020 array( … … 3020 3025 'author_name' => '\\\&\\\ & &invalid; < < &lt;', 3021 3026 'author_user_agent' => '\\\&\\\ & &invalid; < < &lt;', 3027 'author' => self::$superadmin_id, 3022 3028 ) 3023 3029 ); … … 3033 3039 'author_name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', 3034 3040 'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', 3041 'author' => self::$superadmin_id, 3035 3042 ), 3036 3043 array( … … 3041 3048 'author_name' => 'div strong', 3042 3049 'author_user_agent' => 'div strong', 3050 'author' => self::$superadmin_id, 3043 3051 ) 3044 3052 );
Note: See TracChangeset
for help on using the changeset viewer.