Make WordPress Core

Opened 4 months ago

Last modified 2 months ago

#43177 new defect (bug)

REST API allows empty comments containing only whitespace

Reported by: jaswrks Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: trunk
Component: REST API Keywords: needs-unit-tests has-patch
Focuses: rest-api Cc:


I can POST the following to the REST API endpoint for comments and it slides through so long as it's not an empty string. Just adding a single space results in an empty comment.

	"post": 1,
	"content": " "

I suggest trim() empty check. Or, a more robust alternative: https://gist.github.com/jaswrks/d662f4ba8b379e7602c8f80f7b1bb82e

Attachments (2)

43177.patch (2.4 KB) - added by jaswrks 4 months ago.
Trim comment content before checking if empty.
43177.2.patch (2.5 KB) - added by jaswrks 3 months ago.
Take 2, use '' === trim(

Download all attachments as: .zip

Change History (11)

#1 @rmccue
4 months ago

For frontend submissions, this is usually handled by wp_handle_comment_submission, which trim()s author name, author URL, author email, and content. Likewise, wp_ajax_replyto_comment() trims the content.

However, XML-RPC does not trim the content, so it's possible to submit a whitespace-only string there.

Since creating a comment is an authenticated-only endpoint out-of-the-box, I think the current behaviour is fine; if an authenticated user really wants to submit empty content, they should be able to.

#2 @jaswrks
4 months ago

Thanks for the reconnaissance with respect to wp_handle_comment_submission() and the AJAX handler. I noticed this also and considered not opening this ticket when I reviewed tickets from the past that mentioned this.

However, I respectfully disagree that it should be possible to submit a whitespace-only comment via the REST API. The code, as it exists now, intends to prevent an empty comment from being submitted. The problem, as I see it, is not a matter of whether this should be allowed or not, because it's already the case that an empty comment should not be allowed. The problem is that the existing code fails to do this.

For example, I can submit a string that contains nothing but whitespace, and it accepts this, and then returns an object in the response with the content having been trimmed. So in fact it is an empty comment. The existing code just needs to trim before accepting the submission that really is just an empty string in the eyes of other core code.

#3 @dd32
4 months ago

FWIW, I think it makes sense to enforce trim()'ing the fields in both XML-RPC and the REST API, plus in wp_ajax_replyto_comment() if any of the values there aren't.

4 months ago

Trim comment content before checking if empty.

#4 @jaswrks
4 months ago

My patch covers all three of the areas mentioned. Please let me know if it needs any further changes.

#5 @rmccue
3 months ago

I'd prefer '' === trim( $x ) over ! trim( $x ) just to be explicit, but I think it looks good otherwise.

3 months ago

Take 2, use '' === trim(

#6 @jaswrks
3 months ago

@rmccue Thank you for reviewing :-) Most recent patch uses '' === as you suggested.

This ticket was mentioned in Slack in #core-restapi by kadamwhite. View the logs.

2 months ago

This ticket was mentioned in Slack in #core-restapi by schlessera. View the logs.

2 months ago

#9 @schlessera
2 months ago

  • Keywords needs-unit-tests has-patch added
  • Milestone changed from Awaiting Review to Future Release
Note: See TracTickets for help on using tickets.