inline reply removes images

[hebbet]

repro:
reply to a comment through comments list in admin.
add an images to it.
click on submit

what happens:
Image isn't saved in the comment

[SergeyBiryukov]

wp_comment_form_unfiltered_html_nonce() creates a nonce based on the post ID of the last comment in the list instead of a current comment, so the nonce check in admin-ajax.php is not satisfied:

if ( current_user_can('unfiltered_html') ) {
	if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) {
		kses_remove_filters(); // start with a clean slate
		kses_init_filters(); // set up the filters
	}
}

What is the proper way to fix this?

[SergeyBiryukov]

Related: #3973

[nacin]

In the admin, we might be able to change the nonce to a generic one for the screen. Other option is an individual wp_nonce_field() for every comment.

[SergeyBiryukov]

That check was copied from wp-comments-post.php in [8720], however in admin-ajax.php we already have check_ajax_referer():

​http://core.trac.wordpress.org/browser/tags/3.2.1/wp-admin/admin-ajax.php#L628

Isn't that enough to prevent possible XSRF described in #3973?

[nacin]

Patch attached.

Yes, it would protect against CSRF. Ideally we're object-specific with our nonces where possible, but in this case, we can't do that efficiently, so this will work fine.

Approved by westi and ryan.

[azaozz]

In [18852]:

Fix unfiltered_html_comment nonce, props nacin, fixes #18319