#51044 closed defect (bug) (fixed)
preprocess_comment filter is mising some data (like user agent)
Reported by: | zodiac1978 | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 5.6 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Comments | Keywords: | has-patch |
Focuses: | Cc: |
Description
In /wp-includes/comments.php
there is a filter preprocess_comment
https://codex.wordpress.org/Plugin_API/Filter_Reference/preprocess_comment
https://developer.wordpress.org/reference/hooks/preprocess_comment/
The documentation says: "Filters a comment’s data before it is sanitized and inserted into the database."
But the $commentdata
which is mentioned in the filter is not only sanitized afterwards, it is also filled with some data.
First the filter:
https://github.com/WordPress/WordPress/blob/c64297ce61aa9c81af3beb6027f4a4bbd8f5f757/wp-includes/comment.php#L2198
Then sanitation:
https://github.com/WordPress/WordPress/blob/c64297ce61aa9c81af3beb6027f4a4bbd8f5f757/wp-includes/comment.php#L2200-L2217
But then there are added some more information (like useragent, date, comment type):
https://github.com/WordPress/WordPress/blob/c64297ce61aa9c81af3beb6027f4a4bbd8f5f757/wp-includes/comment.php#L2219-L2222
Especially the user agent could be interesting for some antispam plugins and it is unexpected that this data is added *after* the filter to preprocess a comment.
Maybe related: #47447
Attachments (1)
Change History (10)
#3
in reply to:
↑ 1
;
follow-up:
↓ 4
@
4 years ago
Replying to SergeyBiryukov:
Good catch, it seems like the filter should be moved directly above the
wp_filter_comment()
call.
I do not think that's the correct way here, because the filter would change the behavior then.
The description of the filter is: "Filters a comment’s data *before* it is sanitized" (emphasize mine). if we move the filter before the wp_filter_comment()
call it would be already sanitized.
But maybe we could move the additions before the filter call?
#4
in reply to:
↑ 3
@
4 years ago
Replying to zodiac1978:
The description of the filter is: "Filters a comment’s data *before* it is sanitized" (emphasize mine). if we move the filter before the
wp_filter_comment()
call it would be already sanitized.
But maybe we could move the additions before the filter call?
I think I interpreted wp_filter_comment()
as sanitization, as its description is "Filters and sanitizes comment data", and there are some filters in default-filters.php
attached to its hooks. But yeah, there is also some other sanitization code.
It seems like at least comment_author_IP
and comment_agent
could be set before preprocess_comment
.
Good catch, it seems like the filter should be moved directly above the
wp_filter_comment()
call.