Make WordPress Core


Ignore:
Timestamp:
10/29/2024 03:36:56 PM (5 weeks ago)
Author:
SergeyBiryukov
Message:

Comments: Use a more precise check for disallowed keys on filtered comment data.

The previous approach of running wp_allow_comment() twice could have unintended consequences, e.g. the check_comment_flood action was also triggered twice, which might lead to false-positive identification of comment flood in case there is some custom callback hooked to it, which is not expecting identical data seeing twice.

This commit introduces a new function, wp_check_comment_data(), to specifically check for disallowed content before and after comment data is filtered.

Follow-up to [59267].

Props david.binda, SergeyBiryukov.
See #61827.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/comment/wpHandleCommentSubmission.php

    r59267 r59319  
    990990        $comment = wp_handle_comment_submission( $data );
    991991
    992         $this->assertNotWPError( $comment );
    993         $this->assertInstanceOf( 'WP_Comment', $comment );
    994         $this->assertSame( 'trash', $comment->comment_approved );
     992        $this->assertInstanceOf( 'WP_Comment', $comment, 'The comment was not submitted.' );
     993        $this->assertSame( 'trash', $comment->comment_approved, 'The wrong approved status was returned.' );
    995994    }
    996995
     
    10101009        $comment = wp_handle_comment_submission( $data );
    10111010
    1012         $this->assertNotWPError( $comment );
    1013         $this->assertInstanceOf( 'WP_Comment', $comment );
    1014         $this->assertSame( 'trash', $comment->comment_approved );
     1011        $this->assertInstanceOf( 'WP_Comment', $comment, 'The comment was not submitted.' );
     1012        $this->assertSame( 'trash', $comment->comment_approved, 'The wrong approved status was returned.' );
     1013    }
     1014
     1015    /**
     1016     * @ticket 61827
     1017     */
     1018    public function test_disallowed_keys_filtered_html_match_does_not_call_check_comment_flood_action_twice() {
     1019        $data = array(
     1020            'comment_post_ID' => self::$post->ID,
     1021            'comment'         => '<a href=http://example.com/>example</a>',
     1022            'author'          => 'Comment Author',
     1023            'email'           => 'comment@example.org',
     1024        );
     1025
     1026        update_option( 'disallowed_keys', "href=\\\"http\nfoo" );
     1027
     1028        $pre_comment_approved = new MockAction();
     1029        $check_comment_flood  = new MockAction();
     1030        add_filter( 'pre_comment_approved', array( $pre_comment_approved, 'filter' ), 10, 2 );
     1031        add_action( 'check_comment_flood', array( $check_comment_flood, 'action' ), 10, 4 );
     1032
     1033        $comment = wp_handle_comment_submission( $data );
     1034
     1035        $this->assertInstanceOf( 'WP_Comment', $comment, 'The comment was not submitted.' );
     1036        $this->assertSame( 'trash', $comment->comment_approved, 'The wrong approved status was returned.' );
     1037
     1038        $this->assertSame( 2, $pre_comment_approved->get_call_count(), 'The `pre_comment_approved` filter was not called twice.' );
     1039        $this->assertSame( 1, $check_comment_flood->get_call_count(), 'The `check_comment_flood` action was not called exactly once.' );
    10151040    }
    10161041}
Note: See TracChangeset for help on using the changeset viewer.