Make WordPress Core

Opened 10 years ago

Closed 9 years ago

#2714 closed defect (bug) (fixed)

comments with HTML can wreck Moderation Queue window

Reported by: DjLizard Owned by: markjaquith
Milestone: 2.0.6 Priority: normal
Severity: normal Version: 2.0.2
Component: Administration Keywords: html moderation queue comment bg|has-patch
Focuses: Cc:


I keep getting comment spam which is causing some havoc in the moderate comments menu. The spammer, for whatever reason, is simply posting the following:

Allowed HTML: <a href="" title="" rel="" rel="nofollow"> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> 
<code> <div align=""> <em> <font color="" size="" face=""> <i> <li> <ol> <strike> <strong> <sub> <sup>

I don't know why the spammer is just pasting crap off of my page (no Viagra ads, etc). The second spam (from the same person) simply said "nbnbbnmmhmhgjf", so I don't really get the point of the spam. Anyway, the first one messes up the moderation Queue window, to where nothing can be clicked, because it is all one giant hyperlinked, strikethrough'd element. I have to delete the comment via MySQL (hard), or by clicking the delete hyperlink in the "Please moderate:" email I recieve when there's a new comment (easier). I can probably fix the Moderation Queue page myself so that it doesn't allow this kind of attack, but I just wanted to let the Wordpress devs know about it because this is the third time I've gotten this spam in a span of 6 months.

Attachments (2)

2714.diff (914 bytes) - added by Nazgul 9 years ago.
2714b.diff (918 bytes) - added by Nazgul 9 years ago.

Download all attachments as: .zip

Change History (14)

#1 @markjaquith
10 years ago

  • Milestone set to 2.1
  • Owner changed from anonymous to markjaquith
  • Status changed from new to assigned

I've gotten this too. We should force comments to be run through the filter that closes open tags, at least in the admin.

#2 @Nazgul
9 years ago

  • Keywords bg|has-patch added

I got tired of dealing with this type of spam, so I coded a small fix and hope it's of use to somebody else as well.

Also, could somebody tell me what the $is_comment argument in the balanceTags function is used for? It isn't used in the function itself and none of the calling functions pass it in. Can't it be removed?

9 years ago

#3 @markjaquith
9 years ago

+1 from me

#4 @robmiller
9 years ago

+1 from me too.

9 years ago

#5 @Nazgul
9 years ago

New patch, which uses the naming convention suggested by Ryan.

#6 @ryan
9 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [3963]) Force balanced tags in comments. Props Nazgul. fixes #2714

#7 @ryan
9 years ago

(In [3964]) Force balanced tags in comments. Props Nazgul. fixes #2714

#8 @ryan
9 years ago

  • Milestone changed from 2.1 to 2.0.4

#9 @anonymous
9 years ago

  • Milestone 2.0.4 deleted

Milestone 2.0.4 deleted

#10 @markjaquith
9 years ago

  • Milestone set to 2.0.6
  • Resolution fixed deleted
  • Status changed from closed to reopened

This is fixed in 2.1 but NOT in 2.0.x [3964] didn't quite do the trick.

Also, Nazgul is right... $is_comment is not used, so I'm going to remove it.

#11 @markjaquith
9 years ago

(In [4662]) Remove unused is_comment param in balanceTags() relates to #2714

#12 @markjaquith
9 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [4663]) Sync balanceTags() and force_balance_tags() to trunk. fixes #2714

Note: See TracTickets for help on using tickets.