Commenters can break page validation via HTML comments

[schiller]

As per ​http://www.w3.org/TR/REC-xml/#sec-comments, XML does not like two dashes (--) in comments, nor does it like comments ending in --->. This should be fixed in kses

[schiller]

Patch for kses, prevents adjacent hyphens in a HTML/XML comment

[Viper007Bond]

wptexturize() converts a double dash into –, so no problems there.

[schiller]

Can you clarify this? When is wptexturize() called? Is this something that has changed since WP 2.3.3?

[Viper007Bond]

No, wptexturize() has been around since at least version 1.5. All comments and posts are run through it by default before being displayed.

Log out and make a comment like this on your blog:

This is a -- test comment over here --->

It will display at this valid XHTML:

This is a — test comment over here —>

Closing as worksforme.

[Viper007Bond]

Oh, and to answer your "When is wptexturize() called?" question, look at /wp-includes/default-filters.php. You'll find this line in it:

add_filter('comment_text', 'wptexturize');

[schiller]

Actually I had already confirmed this was indeed a problem - someone was logged out and made the following comment on my WP 2.3.3 blog:

Comment: <!-- foo -- bar -->

And it resulted in a Yellow Page of Death when rendered as XHTML. That's why I dug through and came up with this 2-line patch for kses.

Note that the comment stays hidden i.e. it actually stays a HTML comment it doesn't get escaped to be

Comment: &lt;!-- foo -- bar --&gt;

I do not have the "WordPress should correct invalidly nested XHTML automatically" checkbox checked (Options > Writing). Can you describe the settings on your blog that relate to translating markup?

[Viper007Bond]

Okay, well that's an entirely different issue. ;)

Confirmed that no-access users can post HTML comments, something that they shouldn't be able to do IMO. It's specifically allowed in the code though, so then I guess we should just make sure it doesn't break validation.

[schiller]

Ok, thanks - I should have clarified between the two different types of comments ;)

I did attach a patch for this bug - does it need to get reviewed or something? (Just curious about your addition of the 'needs-patch' keyword)

[Viper007Bond]

Replying to schiller:

I did attach a patch for this bug - does it need to get reviewed or something? (Just curious about your addition of the 'needs-patch' keyword)

Sorry, force of habit and I thought your patch merely removed all double dashes. It was in the wee hours of the morning and I didn't realize your patch was specifically targeted at HTML comments. My apologies.

Switched to the "has-patch" tag. :)

[azaozz]

(In [8382]) Prevent adjacent hyphens in a HTML/XML comment. Fixes #6642 for trunk. Props schiller.

[azaozz]

Re-open for 2.6.1

[azaozz]

(In [8383]) Prevent adjacent hyphens in a HTML/XML comment. Fixes #6642 for 2.6.1. Props schiller.

[codedread]

This appears broken again in WP 2.9.1 (though I did verify my fix appears in kses.php still). No idea why it's happening.

[nacin]

Since this ticket was marked as fixed for a shipped milestone, please open a new ticket and reference this one.