WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 7 years ago

#2714 closed defect (bug) (fixed)

comments with HTML can wreck Moderation Queue window

Reported by: DjLizard Owned by: markjaquith
Milestone: 2.0.6 Priority: normal
Severity: normal Version: 2.0.2
Component: Administration Keywords: html moderation queue comment bg|has-patch
Focuses: Cc:

Description

I keep getting comment spam which is causing some havoc in the moderate comments menu. The spammer, for whatever reason, is simply posting the following:

Allowed HTML: <a href="" title="" rel="" rel="nofollow"> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> 
<code> <div align=""> <em> <font color="" size="" face=""> <i> <li> <ol> <strike> <strong> <sub> <sup>
<ul>

I don't know why the spammer is just pasting crap off of my page (no Viagra ads, etc). The second spam (from the same person) simply said "nbnbbnmmhmhgjf", so I don't really get the point of the spam. Anyway, the first one messes up the moderation Queue window, to where nothing can be clicked, because it is all one giant hyperlinked, strikethrough'd element. I have to delete the comment via MySQL (hard), or by clicking the delete hyperlink in the "Please moderate:" email I recieve when there's a new comment (easier). I can probably fix the Moderation Queue page myself so that it doesn't allow this kind of attack, but I just wanted to let the Wordpress devs know about it because this is the third time I've gotten this spam in a span of 6 months.

Attachments (2)

2714.diff (914 bytes) - added by Nazgul 8 years ago.
2714b.diff (918 bytes) - added by Nazgul 8 years ago.

Download all attachments as: .zip

Change History (14)

comment:1 markjaquith8 years ago

  • Milestone set to 2.1
  • Owner changed from anonymous to markjaquith
  • Status changed from new to assigned

I've gotten this too. We should force comments to be run through the filter that closes open tags, at least in the admin.

comment:2 Nazgul8 years ago

  • Keywords bg|has-patch added

I got tired of dealing with this type of spam, so I coded a small fix and hope it's of use to somebody else as well.

Also, could somebody tell me what the $is_comment argument in the balanceTags function is used for? It isn't used in the function itself and none of the calling functions pass it in. Can't it be removed?

Nazgul8 years ago

comment:3 markjaquith8 years ago

+1 from me

comment:4 robmiller8 years ago

+1 from me too.

Nazgul8 years ago

comment:5 Nazgul8 years ago

New patch, which uses the naming convention suggested by Ryan.

comment:6 ryan8 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [3963]) Force balanced tags in comments. Props Nazgul. fixes #2714

comment:7 ryan8 years ago

(In [3964]) Force balanced tags in comments. Props Nazgul. fixes #2714

comment:8 ryan8 years ago

  • Milestone changed from 2.1 to 2.0.4

comment:9 anonymous7 years ago

  • Milestone 2.0.4 deleted

Milestone 2.0.4 deleted

comment:10 markjaquith7 years ago

  • Milestone set to 2.0.6
  • Resolution fixed deleted
  • Status changed from closed to reopened

This is fixed in 2.1 but NOT in 2.0.x [3964] didn't quite do the trick.

Also, Nazgul is right... $is_comment is not used, so I'm going to remove it.

comment:11 markjaquith7 years ago

(In [4662]) Remove unused is_comment param in balanceTags() relates to #2714

comment:12 markjaquith7 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [4663]) Sync balanceTags() and force_balance_tags() to trunk. fixes #2714

Note: See TracTickets for help on using tickets.