Opened 6 months ago
Last modified 10 days ago
#57979 new defect (bug)
Can't upload images to WordPress Comments
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | 6.4 | Priority: | normal |
Severity: | normal | Version: | 6.0.3 |
Component: | Comments | Keywords: | has-patch 2nd-opinion dev-feedback needs-testing |
Focuses: | administration | Cc: |
Description
As the admin, I am unable to upload images from my image library to a WordPress comment posted by a user. Please Note: I can upload images to my own comments, but not a user-generated comment. On the admin page, I edit a user comment, click IMG button, add the image URL, and the correct code is added to the comment. When I click UPDATE, the image code disappears. Please note that all existing images in Comments display properly. This is a new problem. Theme is Genesis Magazine Pro. I tried: deactivating all plugins, multiple browsers, multiple operating systems (PC and Mac), and multiple computers. Also contacted my web host, WP-Engine, who has had other reports of this problem and believes it is a WordPress issue. Site is buildingadvisor.com. Thank you!
Attachments (3)
Change History (17)
#2
@
6 months ago
Thanks. So does that make this a feature or a bug that should be fixed? In the meantime, can you suggest a workaround so the admin can add images to user-posted Comments? Many thanks, Steve
This ticket was mentioned in PR #4265 on WordPress/wordpress-develop by @khokansardar.
6 months ago
#3
- Keywords has-patch added
Trac ticket: 57979
#4
@
6 months ago
@azaozz I have added a patch by adding
current_user_can( 'unfiltered_html' )
Please have a look.
#5
follow-up:
↓ 6
@
6 months ago
Hello and many thanks for the patches. I have tried adding the patch in 57979.diff and also the latest patch as "Additional CSS" in the WordPress theme customizer. However, it did not solve the problem. Still unable to load images to Comments posted by users. Any other suggestions? Should the patch be added to functions.php instead. Sorry, but I am not a programmer...
#6
in reply to:
↑ 5
@
6 months ago
Replying to sbb:
Hello and many thanks for the patches. I have tried adding the patch in 57979.diff and also the latest patch as "Additional CSS" in the WordPress theme customizer. However, it did not solve the problem. Still unable to load images to Comments posted by users. Any other suggestions? Should the patch be added to functions.php instead. Sorry, but I am not a programmer...
This is not the process to apply the patches. All these are core tickets, so you have to apply respective patch to respective files. For this one you have to change the line of this file path -
/wp-includes/comment.php src/wp-includes/comment.php
as mentioned in .diff file of this ticket and then you can do the check.
#7
@
5 months ago
Test Report
This report validates that the indicated patch addresses the issue.
Patch tested: https://core.trac.wordpress.org/attachment/ticket/57979/57979.diff
Environment
- OS: macOS 13.2.1
- Web Server: Nginx
- PHP: 7.4.27
- WordPress: 6.3-alpha-55505-src
- Browser: Chrome 112.0.5615.137
- Theme: twentytwentythree
- Active Plugins:
Actual Results
- ✅ Issue resolved with patch. A administrator can upload image in another user's comment.
#8
@
5 months ago
- Keywords 2nd-opinion added
Not sure if that's the best patch here. This was a security fix, need to make sure the initial bug is not reintroduced.
#9
@
3 months ago
- Milestone changed from 6.3 to 6.4
Because there are doubts about security and tickets had no activities in 2 months, I am moving this into the 6.4 milestone.
This ticket was mentioned in Slack in #core by oglekler. View the logs.
5 weeks ago
#11
@
5 weeks ago
- Keywords dev-feedback added
This ticket was discussed during a bug scrub, and it looks like the patch is solving the issue, but this restriction with checking user ID with commenter user ID was also there for a reason, so, let's have dev feedback about this.
Add props to @mukesh27
#12
@
5 weeks ago
- Keywords changes-requested added
Hello and thanks for the patch.
The proposed patch probably reintroduces the security issue fixed in [54527]. It would be better to add a conditional to check whether the user is an admin or not.
#13
@
4 weeks ago
- Keywords needs-testing added; changes-requested removed
@audrasjb I have updated the patch here - 57979.1.diff please check.
#14
@
10 days ago
Test Report
Tested the latest patch 57979.1.diff and it solves the issue. When I first tried, I could not add any image in user comments. After applying the patch, I added the image in user's comment.
Patch tested: https://core.trac.wordpress.org/attachment/ticket/57979/57979.1.diff
Environment
OS: Window 10
Web Server: nginx/1.25.2
PHP: 7.4.33
WordPress: 6.4-alpha-56267-src
Browser: Google Chrome
Theme: Twenty-Twenty-Three
Actual Results
- ✅ Issue resolved with patch.
@sbb Welcome to Trac and thanks for the bug report.
Seems this is a regression introduced in [54527]. Comments edited by users with
unfiltered_html
(admins or editors) should not be run through KSES.Looking at the changeset, it checks if the comment author has
unfiltered_html
, but doesn't check cases where an admin may be editing the comment. This prevents admins and editors from using their capabilities there.