Make WordPress Core


Ignore:
Timestamp:
10/21/2024 11:05:53 PM (7 weeks ago)
Author:
SergeyBiryukov
Message:

Comments: Validate new comments before and after comment data is filtered.

This ensures that a Disallowed Comment Keys match will consistently send the comment to the Trash, by checking both the original unmodified comment data and the final filtered comment data.

If the first check has already resulted in a trash or spam status, the second check is skipped as redundant.

Follow-up to [2894], [3851], [48121], [48575].

Props cfinke, kbrownkd, thompsonsj, mi5t4n, devspace, chaion07, engahmeds3ed, SergeyBiryukov.
Fixes #61827.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/comment/wpHandleCommentSubmission.php

    r58052 r59267  
    977977        );
    978978    }
     979
     980    public function test_disallowed_keys_match_gives_approved_status_of_trash() {
     981        $data = array(
     982            'comment_post_ID' => self::$post->ID,
     983            'comment'         => 'Comment',
     984            'author'          => 'Comment Author',
     985            'email'           => 'comment@example.org',
     986        );
     987
     988        update_option( 'disallowed_keys', "Comment\nfoo" );
     989
     990        $comment = wp_handle_comment_submission( $data );
     991
     992        $this->assertNotWPError( $comment );
     993        $this->assertInstanceOf( 'WP_Comment', $comment );
     994        $this->assertSame( 'trash', $comment->comment_approved );
     995    }
     996
     997    /**
     998     * @ticket 61827
     999     */
     1000    public function test_disallowed_keys_html_match_gives_approved_status_of_trash() {
     1001        $data = array(
     1002            'comment_post_ID' => self::$post->ID,
     1003            'comment'         => '<a href=http://example.com/>example</a>',
     1004            'author'          => 'Comment Author',
     1005            'email'           => 'comment@example.org',
     1006        );
     1007
     1008        update_option( 'disallowed_keys', "href=http\nfoo" );
     1009
     1010        $comment = wp_handle_comment_submission( $data );
     1011
     1012        $this->assertNotWPError( $comment );
     1013        $this->assertInstanceOf( 'WP_Comment', $comment );
     1014        $this->assertSame( 'trash', $comment->comment_approved );
     1015    }
    9791016}
Note: See TracChangeset for help on using the changeset viewer.