Make WordPress Core


Ignore:
Timestamp:
02/21/2023 01:43:33 AM (16 months ago)
Author:
peterwilsoncc
Message:

Comments: Prevent replying to unapproved comments.

Introduces client and server side validation to ensure the replytocom query string parameter can not be exploited to reply to an unapproved comment or display the name of an unapproved commenter.

This only affects commenting via the front end of the site. Comment replies via the dashboard continue their current behaviour of logging the reply and approving the parent comment.

Introduces the $post parameter, defaulting to the current global post, to get_cancel_comment_reply_link() and comment_form_title().

Introduces _get_comment_reply_id() for determining the comment reply ID based on the replytocom query string parameter.

Renames the parameter $post_id to $post in get_comment_id_fields() and comment_id_fields() to accept either a post ID or WP_Post object.

Adds a new WP_Error return state to wp_handle_comment_submission() to prevent replies to unapproved comments. The error code is comment_reply_to_unapproved_comment with the message Sorry, replies to unapproved comments are not allowed..

Props costdev, jrf, hellofromtonya, fasuto, boniu91, milana_cap.
Fixes #53962.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/comment.php

    r55324 r55369  
    34763476    }
    34773477    if ( isset( $comment_data['comment_parent'] ) ) {
    3478         $comment_parent = absint( $comment_data['comment_parent'] );
     3478        $comment_parent        = absint( $comment_data['comment_parent'] );
     3479        $comment_parent_object = get_comment( $comment_parent );
     3480
     3481        if (
     3482            0 !== $comment_parent &&
     3483            (
     3484                ! $comment_parent_object instanceof WP_Comment ||
     3485                0 === (int) $comment_parent_object->comment_approved
     3486            )
     3487        ) {
     3488            /**
     3489             * Fires when a comment reply is attempted to an unapproved comment.
     3490             *
     3491             * @since 6.2.0
     3492             *
     3493             * @param int $comment_post_id Post ID.
     3494             * @param int $comment_parent  Parent comment ID.
     3495             */
     3496            do_action( 'comment_reply_to_unapproved_comment', $comment_post_id, $comment_parent );
     3497
     3498            return new WP_Error( 'comment_reply_to_unapproved_comment', __( 'Sorry, replies to unapproved comments are not allowed.' ), 403 );
     3499        }
    34793500    }
    34803501
     
    35613582
    35623583    } else {
    3563 
    35643584        /**
    35653585         * Fires before a comment is posted.
     
    35703590         */
    35713591        do_action( 'pre_comment_on_post', $comment_post_id );
    3572 
    35733592    }
    35743593
Note: See TracChangeset for help on using the changeset viewer.