mirror of
https://github.com/gosticks/wordpress-develop.git
synced 2026-02-27 19:22:45 +00:00
Comments: Apply kses when editing comments.
Props davidbaumwald, xknown, peterwilsoncc, paulkevan. git-svn-id: https://develop.svn.wordpress.org/trunk@54527 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Jb Audras
parent
2ca28e49fc
commit
89c8f79194
@ -2499,6 +2499,15 @@ function wp_update_comment( $commentarr, $wp_error = false ) {
|
||||
}
|
||||
}
|
||||
|
||||
$filter_comment = false;
|
||||
if ( ! has_filter( 'pre_comment_content', 'wp_filter_kses' ) ) {
|
||||
$filter_comment = ! user_can( isset( $comment['user_id'] ) ? $comment['user_id'] : 0, 'unfiltered_html' );
|
||||
}
|
||||
|
||||
if ( $filter_comment ) {
|
||||
add_filter( 'pre_comment_content', 'wp_filter_kses' );
|
||||
}
|
||||
|
||||
// Escape data pulled from DB.
|
||||
$comment = wp_slash( $comment );
|
||||
|
||||
@ -2509,6 +2518,10 @@ function wp_update_comment( $commentarr, $wp_error = false ) {
|
||||
|
||||
$commentarr = wp_filter_comment( $commentarr );
|
||||
|
||||
if ( $filter_comment ) {
|
||||
remove_filter( 'pre_comment_content', 'wp_filter_kses' );
|
||||
}
|
||||
|
||||
// Now extract the merged array.
|
||||
$data = wp_unslash( $commentarr );
|
||||
|
||||
|
||||
@ -81,6 +81,90 @@ class Tests_Comment extends WP_UnitTestCase {
|
||||
$this->assertEquals( $post2->ID, $comment->comment_post_ID );
|
||||
}
|
||||
|
||||
public function test_update_comment_from_privileged_user_by_privileged_user() {
|
||||
$admin_id_1 = self::factory()->user->create( array( 'role' => 'administrator' ) );
|
||||
wp_set_current_user( $admin_id_1 );
|
||||
|
||||
$comment_id = wp_new_comment(
|
||||
array(
|
||||
'comment_post_ID' => self::$post_id,
|
||||
'comment_author' => 'Author',
|
||||
'comment_author_url' => 'http://example.localhost/',
|
||||
'comment_author_email' => 'test@test.com',
|
||||
'user_id' => $admin_id_1,
|
||||
'comment_content' => 'This is a comment',
|
||||
)
|
||||
);
|
||||
|
||||
wp_set_current_user( 0 );
|
||||
|
||||
$admin_id_2 = self::factory()->user->create(
|
||||
array(
|
||||
'role' => 'administrator',
|
||||
'user_login' => 'test_wp_admin_get',
|
||||
'user_pass' => 'password',
|
||||
'user_email' => 'testadmin@test.com',
|
||||
)
|
||||
);
|
||||
|
||||
wp_set_current_user( $admin_id_2 );
|
||||
|
||||
wp_update_comment(
|
||||
array(
|
||||
'comment_ID' => $comment_id,
|
||||
'comment_content' => 'new comment <img onerror=demo src=x>',
|
||||
)
|
||||
);
|
||||
|
||||
$comment = get_comment( $comment_id );
|
||||
$expected_content = is_multisite()
|
||||
? 'new comment '
|
||||
: 'new comment <img onerror=demo src=x>';
|
||||
|
||||
$this->assertSame( $expected_content, $comment->comment_content );
|
||||
|
||||
wp_set_current_user( 0 );
|
||||
}
|
||||
|
||||
public function test_update_comment_from_unprivileged_user_by_privileged_user() {
|
||||
wp_set_current_user( self::$user_id );
|
||||
|
||||
$comment_id = wp_new_comment(
|
||||
array(
|
||||
'comment_post_ID' => self::$post_id,
|
||||
'comment_author' => 'Author',
|
||||
'comment_author_url' => 'http://example.localhost/',
|
||||
'comment_author_email' => 'test@test.com',
|
||||
'user_id' => self::$user_id,
|
||||
'comment_content' => '<a href="http://example.localhost/something.html">click</a>',
|
||||
)
|
||||
);
|
||||
|
||||
wp_set_current_user( 0 );
|
||||
|
||||
$admin_id = self::factory()->user->create(
|
||||
array(
|
||||
'role' => 'administrator',
|
||||
'user_login' => 'test_wp_admin_get',
|
||||
'user_pass' => 'password',
|
||||
'user_email' => 'testadmin@test.com',
|
||||
)
|
||||
);
|
||||
|
||||
wp_set_current_user( $admin_id );
|
||||
|
||||
wp_update_comment(
|
||||
array(
|
||||
'comment_ID' => $comment_id,
|
||||
'comment_content' => '<a href="http://example.localhost/something.html" disallowed=attribute>click</a>',
|
||||
)
|
||||
);
|
||||
|
||||
$comment = get_comment( $comment_id );
|
||||
$this->assertEquals( '<a href="http://example.localhost/something.html" rel="nofollow ugc">click</a>', $comment->comment_content, 'Comment: ' . $comment->comment_content );
|
||||
wp_set_current_user( 0 );
|
||||
}
|
||||
|
||||
/**
|
||||
* @ticket 30627
|
||||
*
|
||||
|
||||
@ -2972,6 +2972,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
|
||||
'content' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
|
||||
'author_name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
|
||||
'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
|
||||
'author' => self::$editor_id,
|
||||
),
|
||||
array(
|
||||
'content' => array(
|
||||
@ -2980,6 +2981,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
|
||||
),
|
||||
'author_name' => 'div strong',
|
||||
'author_user_agent' => 'div strong',
|
||||
'author' => self::$editor_id,
|
||||
)
|
||||
);
|
||||
} else {
|
||||
@ -2989,6 +2991,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
|
||||
'content' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
|
||||
'author_name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
|
||||
'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
|
||||
'author' => self::$editor_id,
|
||||
),
|
||||
array(
|
||||
'content' => array(
|
||||
@ -2997,6 +3000,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
|
||||
),
|
||||
'author_name' => 'div strong',
|
||||
'author_user_agent' => 'div strong',
|
||||
'author' => self::$editor_id,
|
||||
)
|
||||
);
|
||||
}
|
||||
@ -3011,6 +3015,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
|
||||
'content' => '\\\&\\\ & &invalid; < < &lt;',
|
||||
'author_name' => '\\\&\\\ & &invalid; < < &lt;',
|
||||
'author_user_agent' => '\\\&\\\ & &invalid; < < &lt;',
|
||||
'author' => self::$superadmin_id,
|
||||
),
|
||||
array(
|
||||
'content' => array(
|
||||
@ -3019,6 +3024,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
|
||||
),
|
||||
'author_name' => '\\\&\\\ & &invalid; < < &lt;',
|
||||
'author_user_agent' => '\\\&\\\ & &invalid; < < &lt;',
|
||||
'author' => self::$superadmin_id,
|
||||
)
|
||||
);
|
||||
}
|
||||
@ -3032,6 +3038,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
|
||||
'content' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
|
||||
'author_name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
|
||||
'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
|
||||
'author' => self::$superadmin_id,
|
||||
),
|
||||
array(
|
||||
'content' => array(
|
||||
@ -3040,6 +3047,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
|
||||
),
|
||||
'author_name' => 'div strong',
|
||||
'author_user_agent' => 'div strong',
|
||||
'author' => self::$superadmin_id,
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user