Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#29563 closed defect (bug) (invalid)

WordPress does not preserve original comment text in database

Reported by: AmbushCommander Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.1
Component: Comments Keywords:
Focuses: Cc:

Description (last modified by SergeyBiryukov)

Steps to reproduce:

  1. Write a comment which contains some invalid HTML, e.g. <s>a</s>
  2. Submit comment
  3. View comment in database

Expected results: Comment in database is original, verbatim comment input by commentor

Actual result: Comment in database has had HTML stripped out, e.g.

mysql> select comment_content from wp_comments where comment_id = 2;
| comment_content |
| a               |
1 row in set (0.00 sec)

This is bad behavior because if a user formats a comment incorrectly, WordPress will silently eat their markup, and an administrator has no way of retroactively going and fixing the comment. WordPress should *always always always* keep the original text.

Change History (3)

#1 @SergeyBiryukov
6 years ago

  • Description modified (diff)
  • Focuses ui removed
  • Summary changed from Wordpress does not preserve original comment text in database to WordPress does not preserve original comment text in database

#2 @miqrogroove
6 years ago

  • Resolution set to invalid
  • Status changed from new to closed
  • Version changed from 3.9.2 to 3.1

kses has been hooked to the comment_text filter since at least 3.1.0. This is by design, and I see no reason to change it.

You could easily remove that security mechanism or modify it as needed to save raw inputs.

#3 @SergeyBiryukov
6 years ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.