Make WordPress Core

Opened 19 years ago

Closed 18 years ago

#2714 closed defect (bug) (fixed)

comments with HTML can wreck Moderation Queue window

Reported by: djlizard's profile DjLizard Owned by: markjaquith's profile markjaquith
Milestone: 2.0.6 Priority: normal
Severity: normal Version: 2.0.2
Component: Administration Keywords: html moderation queue comment bg|has-patch
Focuses: Cc:

Description

I keep getting comment spam which is causing some havoc in the moderate comments menu. The spammer, for whatever reason, is simply posting the following:

Allowed HTML: <a href="" title="" rel="" rel="nofollow"> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> 
<code> <div align=""> <em> <font color="" size="" face=""> <i> <li> <ol> <strike> <strong> <sub> <sup>
<ul>

I don't know why the spammer is just pasting crap off of my page (no Viagra ads, etc). The second spam (from the same person) simply said "nbnbbnmmhmhgjf", so I don't really get the point of the spam. Anyway, the first one messes up the moderation Queue window, to where nothing can be clicked, because it is all one giant hyperlinked, strikethrough'd element. I have to delete the comment via MySQL (hard), or by clicking the delete hyperlink in the "Please moderate:" email I recieve when there's a new comment (easier). I can probably fix the Moderation Queue page myself so that it doesn't allow this kind of attack, but I just wanted to let the Wordpress devs know about it because this is the third time I've gotten this spam in a span of 6 months.

Attachments (2)

2714.diff (914 bytes) - added by Nazgul 18 years ago.
2714b.diff (918 bytes) - added by Nazgul 18 years ago.

Download all attachments as: .zip

Change History (14)

#1 @markjaquith
19 years ago

  • Milestone set to 2.1
  • Owner changed from anonymous to markjaquith
  • Status changed from new to assigned

I've gotten this too. We should force comments to be run through the filter that closes open tags, at least in the admin.

#2 @Nazgul
18 years ago

  • Keywords bg|has-patch added

I got tired of dealing with this type of spam, so I coded a small fix and hope it's of use to somebody else as well.

Also, could somebody tell me what the $is_comment argument in the balanceTags function is used for? It isn't used in the function itself and none of the calling functions pass it in. Can't it be removed?

@Nazgul
18 years ago

#3 @markjaquith
18 years ago

+1 from me

#4 @robmiller
18 years ago

+1 from me too.

@Nazgul
18 years ago

#5 @Nazgul
18 years ago

New patch, which uses the naming convention suggested by Ryan.

#6 @ryan
18 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [3963]) Force balanced tags in comments. Props Nazgul. fixes #2714

#7 @ryan
18 years ago

(In [3964]) Force balanced tags in comments. Props Nazgul. fixes #2714

#8 @ryan
18 years ago

  • Milestone changed from 2.1 to 2.0.4

#9 @(none)
18 years ago

  • Milestone 2.0.4 deleted

Milestone 2.0.4 deleted

#10 @markjaquith
18 years ago

  • Milestone set to 2.0.6
  • Resolution fixed deleted
  • Status changed from closed to reopened

This is fixed in 2.1 but NOT in 2.0.x [3964] didn't quite do the trick.

Also, Nazgul is right... $is_comment is not used, so I'm going to remove it.

#11 @markjaquith
18 years ago

(In [4662]) Remove unused is_comment param in balanceTags() relates to #2714

#12 @markjaquith
18 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [4663]) Sync balanceTags() and force_balance_tags() to trunk. fixes #2714

Note: See TracTickets for help on using tickets.