WordPress.org

Make WordPress Core

#48677 closed defect (bug) (wontfix)

Comments are attempted to be parsed as HTML

Reported by: jqz Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.2.4
Component: Comments Keywords:
Focuses: Cc:

Description

I know that historically the comment system allowed HTML in comments.

But this is 2019. No-one expects to be able to put HTML into a comment nowadays.

If any formatting should be allowed, it should be Markdown.

Also, there are many sites, not least wordpress.org, where people would like to be able to put examples of HTML into their comment, without it being parsed as HTML and the tags stripped.

### Example of bug #-1

#### Steps to reproduce:

  1. Submit a comment with the following content:

<q>test1</q>
<div>test2</div>
<p>test3</p>

#### Expected result (yes, verbatum, with properly escaped &lt; etc. in the page source):

<q>test1</q>
<div>test2</div>
<p>test3</p>

#### Actual result:

test1
test2
test3

### Example of bug #-2

https://wordpress.org/support/topic/is-not-an-allowed-child-of-2/

"you broke it. well done =)"

The fact that I can inadvertently screw up your support page layout with a couple of HTML tags in the title or description suggests that there could be an XSS attack waiting to happen somewhere.

### Conclusion

Please just allow text only in comments, and include all content of the text, including all things that look like HTML tags but are actually intended to be presented just as they are, as text.

You should HTML-escape (htmlspecialchars) the content always when it's actually rendered to the page, but never at any other time, e.g., when it is stored in or retrieved from the database. If you try to HTML-escape content at the wrong time, you will end up with HTML entities displayed on the page instead of the intended character (<, >, &, ", ').

Like I said, no-one expects HTML comments to be supported any more in 2019, they are more likely to expect Markdown. Markdown support could be provided via a plugin. Almost no-one posts a picture in a comment by inserting an <img> tag, but if that were desirable, there could be a plugin for it (e.g. Facebook has a UI to add a picture to a 'status update') with a proper UI for uploading.

This is probably not a security issue, as those should have all been dealt with by now, but I can't confidently tick the box to say it isn't. Though apparently I have to to submit this ticket :/

Change History (4)

#1 @SergeyBiryukov
13 months ago

  • Focuses ui javascript docs administration privacy ui-copy coding-standards removed

#2 @joyously
13 months ago

No-one expects to be able to put HTML into a comment nowadays.

This isn't true. All of the users of WordPress expect it.

This page shows the function that you can use to find the allowed HTML tags.
https://developer.wordpress.org/reference/functions/allowed_tags/

It has historically included the <code> tag, so that users can put HTML in their comments without it being parsed as HTML. (Most themes used to show those allowed tags near the comment box, but that has become uncool or something.)

As you say,

Markdown support could be provided via a plugin.

This ticket was mentioned in Slack in #core by peterwilsoncc. View the logs.


12 months ago

#4 @peterwilsoncc
12 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

This was discussed during a triage session in the WordPress Slack.

In order to maintain backward compatibility, I'm going to close this as wont fix. There are a number of plugins available for site owners wishing to disable HTML support in the comment form.

Note: See TracTickets for help on using tickets.