Make WordPress Core

Changeset 59267


Ignore:
Timestamp:
10/21/2024 11:05:53 PM (3 months ago)
Author:
SergeyBiryukov
Message:

Comments: Validate new comments before and after comment data is filtered.

This ensures that a Disallowed Comment Keys match will consistently send the comment to the Trash, by checking both the original unmodified comment data and the final filtered comment data.

If the first check has already resulted in a trash or spam status, the second check is skipped as redundant.

Follow-up to [2894], [3851], [48121], [48575].

Props cfinke, kbrownkd, thompsonsj, mi5t4n, devspace, chaion07, engahmeds3ed, SergeyBiryukov.
Fixes #61827.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/comment.php

    r59120 r59267  
    22782278    }
    22792279
     2280    $commentdata['comment_approved'] = wp_allow_comment( $commentdata, $wp_error );
     2281
    22802282    $commentdata = wp_filter_comment( $commentdata );
    22812283
    2282     $commentdata['comment_approved'] = wp_allow_comment( $commentdata, $wp_error );
     2284    if ( ! in_array( $commentdata['comment_approved'], array( 'trash', 'spam' ), true ) ) {
     2285        // Validate the comment again after filters are applied to comment data.
     2286        $commentdata['comment_approved'] = wp_allow_comment( $commentdata, $wp_error );
     2287    }
    22832288
    22842289    if ( is_wp_error( $commentdata['comment_approved'] ) ) {
  • trunk/tests/phpunit/tests/comment/wpHandleCommentSubmission.php

    r58052 r59267  
    977977        );
    978978    }
     979
     980    public function test_disallowed_keys_match_gives_approved_status_of_trash() {
     981        $data = array(
     982            'comment_post_ID' => self::$post->ID,
     983            'comment'         => 'Comment',
     984            'author'          => 'Comment Author',
     985            'email'           => 'comment@example.org',
     986        );
     987
     988        update_option( 'disallowed_keys', "Comment\nfoo" );
     989
     990        $comment = wp_handle_comment_submission( $data );
     991
     992        $this->assertNotWPError( $comment );
     993        $this->assertInstanceOf( 'WP_Comment', $comment );
     994        $this->assertSame( 'trash', $comment->comment_approved );
     995    }
     996
     997    /**
     998     * @ticket 61827
     999     */
     1000    public function test_disallowed_keys_html_match_gives_approved_status_of_trash() {
     1001        $data = array(
     1002            'comment_post_ID' => self::$post->ID,
     1003            'comment'         => '<a href=http://example.com/>example</a>',
     1004            'author'          => 'Comment Author',
     1005            'email'           => 'comment@example.org',
     1006        );
     1007
     1008        update_option( 'disallowed_keys', "href=http\nfoo" );
     1009
     1010        $comment = wp_handle_comment_submission( $data );
     1011
     1012        $this->assertNotWPError( $comment );
     1013        $this->assertInstanceOf( 'WP_Comment', $comment );
     1014        $this->assertSame( 'trash', $comment->comment_approved );
     1015    }
    9791016}
Note: See TracChangeset for help on using the changeset viewer.