Make WordPress Core

Opened 22 months ago

Last modified 22 months ago

#49869 new defect (bug)

Apply comment field filters to backend

Reported by: ttodua Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Comments Keywords:
Focuses: Cc:


Recently, I had to work on an internally consuming WP project. I am a bit surprised how WP filters are mainly affecting only visual side, instead of applying to backend functions.

so, for example:

add_filter('comment_form_default_fields', 'website_remove');
function website_remove($fields)
	if( isset($fields['url']) )
	return $fields;

it only removes 'url' input field from output of comment form. So, what is the point of that, if it can be simply achieved by css display:none. ? the intention is clear, that it should REMOVE "url" parameter from comment system at all.
However, at this moment, even if people use 'comment_form_default_fields' filter to remove url, it is almost meaningless - anyone in front-end form can just insert url field (i mainly say bots, but also typical user can just insert "url" parameter in browser "inspect element") and submit form and in backend, in wp-includes/comment.php :: wp_handle_comment_submission still accepts the url field.

In parallel of the fact that WP advocates "never trust user input", the filters should be applied firstly and mostly to backend functions in my mind. I firmly reckon that the filters (in any other WP form too) should be applied in both front-end and back-end functions for same parameter.

So in backend, the same filter should be applied to comment fields ( in wp-includes/comment.php :: wp_handle_comment_submission):

$comment_data = apply_filters('comment_form_default_fields', $comment_data, true);

the third parameter is indication whether the filter is in BACK-END (true) or FRONT-END (false).
So, in front-end output of comments (wp-includes\comment-template.php, function comment_form) the filter can now be:

$fields = apply_filters( 'comment_form_default_fields', $fields, false );

instead of

$fields = apply_filters( 'comment_form_default_fields', $fields);

Hope you understand my concern. Every filter for fields should affect two places - output and input.

Attachments (1)

49869.patch (1.4 KB) - added by ttodua 22 months ago.

Download all attachments as: .zip

Change History (3)

22 months ago

#1 @SergeyBiryukov
22 months ago

  • Component changed from General to Comments

#2 @ttodua
22 months ago

Moreover, if WP was more object-oriented in full details, there should have been the 3rd place where the same hook should be applied - to EXISTING DATA.
So, ideally:

-in output (during comment-form):

$output_fields  = apply_filters('comment_form_default_fields', $fields, "is_frontend");

-in backend (during save):

$output_fields  = apply_filters('comment_form_default_fields', $fields, "is_backend");

-in getting the existing data (i.e. in function "get_comment_author_link"):

$existing_fields= apply_filters('comment_form_default_fields', $fields, "is_existing");
Note: See TracTickets for help on using tickets.