HTML in comments is automatically deleted

[locksoft]

If I add a photo, or a class for a link, or something else, they're immediately removed when I save them.

[kalpeshh]

I have tested this with below HTML and it worked fine.

<a href="https://example.com" class="my_class" > MyLink </a>

Can you please share steps to reproduce?

[locksoft]

Hi @kalpeshh,

I discovered that only administrators can add full html tags in comments, and this was the problem: I tried to edit a comment created by an user. WP should be more clear about these limits, or allow a comment to be marked as “administrator” if edited by an administrator.

[kalpeshh]

Hi @locksoft, yes with non-admin user css classes are removed by WordPress which should be the case as most of the visitors of your website won't be technical enough to check available CSS classes of your theme and apply these classes in comment.

If you consider a case where they want to use their own CSS class, it is not allowed to either include your own css file or put inline css.

Is there any case you have in mind where you have need for users to out css classes?

[locksoft]

It’s ok this limit for normal users. But sometimes, I may have the need to edit some comment and add more stuff, like for example an image or so. I think a comment should allow an administrator to edit it without any limit (in case, even locking out the original poster to edit it, as they lost the ownership).
As it’s now, if I need to do something like that, I have to create a new comment myself and then copy and paste the text from the original one; then manually change the user and email fields (and the op is locked out anyway from editing it).
What I need is that:

1) a normal comment’s ownership is automatically changed when an administrator edits it or
2) have a checkbox or so to assign the comment ownership to an administrator, in case of need.

I hope it’s clear what I mean. :)

[mindctrl]

Hi @locksoft, welcome to Trac.

I was able to confirm your report. To clarify the situation:

Non-admin users cannot post certain HTML in comments, such as the class attribute you mentioned. This is intentional. However, if an admin user edits the comment, and adds some of the HTML that would be stripped out for non-admin users, the HTML is still stripped out when the admin saves it.

This is due to the comment being passed through wp_update_comment(), which checks the comment's user ID instead of the current user ID editing the comment. Reference: ​https://github.com/WordPress/wordpress-develop/blob/94cab031c85eaf86e5e6975421359b0be3b994b7/src/wp-includes/comment.php#L2570-L2577

I can see the value in your argument for allowing admins to exercise their user capabilities on comments by other users, but I don't have a complete picture in my head of what other impacts that might have, or if there is sufficient interest in changing the current behavior for the core team to take this on. Requesting a second opinion.

[locksoft]

Replying to mindctrl:

I can see the value in your argument for allowing admins to exercise their user capabilities on comments by other users, but I don't have a complete picture in my head of what other impacts that might have, or if there is sufficient interest in changing the current behavior for the core team to take this on. Requesting a second opinion.

Thanks for your answer Mindfctrl, even if it comes after three years. :)
Being able to edit a comment from an administrator may be useful to correct errors inside them or format it better. Or to add an image if the original commenter wanted to insert one and it could be useful to explain something. Or just, for example, if someone tries to add an URL and he has to cut it in several parts so WP can't strip them out.

I also understand it's not safe to let the user edit it after, if extra tags are unlocked. My idea is, if admin edits it, the comment changes owner. Or else, the only thing an admin can do is delete the old message, create a new one and change the name and the email of the original poster. It's what I'm doing at the moment.

[westonruter]

I think this makes sense, since it would be consistent with the behavior of the post editor. Namely, if a non-admin tries to edit a post and adds a <script> tag, for example, this will get stripped out as expected. If an admin edits that post, and then adds in a <script> and saves, it will be preserved. If the original non-admin author edits the post again, then the <script> will get stripped out.

The same behavior makes sense to me for comments.

[locksoft]

Replying to westonruter:

I think this makes sense, since it would be consistent with the behavior of the post editor. Namely, if a non-admin tries to edit a post and adds a <script> tag, for example, this will get stripped out as expected. If an admin edits that post, and then adds in a <script> and saves, it will be preserved. If the original non-admin author edits the post again, then the <script> will get stripped out.

This.

One curiosity, is there any versioning for the comments? Example: user writes a comment, admin will improve it with HTML, op updates it to add more details (and all the tags are removed), the admin can go to the previous version, get it and upgrade the last one with the added info.