diff --git a/src/wp-includes/comment.php b/src/wp-includes/comment.php index bf4f430e41..b5be18ed7a 100644 --- a/src/wp-includes/comment.php +++ b/src/wp-includes/comment.php @@ -2499,6 +2499,15 @@ function wp_update_comment( $commentarr, $wp_error = false ) { } } + $filter_comment = false; + if ( ! has_filter( 'pre_comment_content', 'wp_filter_kses' ) ) { + $filter_comment = ! user_can( isset( $comment['user_id'] ) ? $comment['user_id'] : 0, 'unfiltered_html' ); + } + + if ( $filter_comment ) { + add_filter( 'pre_comment_content', 'wp_filter_kses' ); + } + // Escape data pulled from DB. $comment = wp_slash( $comment ); @@ -2509,6 +2518,10 @@ function wp_update_comment( $commentarr, $wp_error = false ) { $commentarr = wp_filter_comment( $commentarr ); + if ( $filter_comment ) { + remove_filter( 'pre_comment_content', 'wp_filter_kses' ); + } + // Now extract the merged array. $data = wp_unslash( $commentarr ); diff --git a/tests/phpunit/tests/comment.php b/tests/phpunit/tests/comment.php index 9d63171abe..e75d2fd499 100644 --- a/tests/phpunit/tests/comment.php +++ b/tests/phpunit/tests/comment.php @@ -81,6 +81,90 @@ class Tests_Comment extends WP_UnitTestCase { $this->assertEquals( $post2->ID, $comment->comment_post_ID ); } + public function test_update_comment_from_privileged_user_by_privileged_user() { + $admin_id_1 = self::factory()->user->create( array( 'role' => 'administrator' ) ); + wp_set_current_user( $admin_id_1 ); + + $comment_id = wp_new_comment( + array( + 'comment_post_ID' => self::$post_id, + 'comment_author' => 'Author', + 'comment_author_url' => 'http://example.localhost/', + 'comment_author_email' => 'test@test.com', + 'user_id' => $admin_id_1, + 'comment_content' => 'This is a comment', + ) + ); + + wp_set_current_user( 0 ); + + $admin_id_2 = self::factory()->user->create( + array( + 'role' => 'administrator', + 'user_login' => 'test_wp_admin_get', + 'user_pass' => 'password', + 'user_email' => 'testadmin@test.com', + ) + ); + + wp_set_current_user( $admin_id_2 ); + + wp_update_comment( + array( + 'comment_ID' => $comment_id, + 'comment_content' => 'new comment ', + ) + ); + + $comment = get_comment( $comment_id ); + $expected_content = is_multisite() + ? 'new comment ' + : 'new comment '; + + $this->assertSame( $expected_content, $comment->comment_content ); + + wp_set_current_user( 0 ); + } + + public function test_update_comment_from_unprivileged_user_by_privileged_user() { + wp_set_current_user( self::$user_id ); + + $comment_id = wp_new_comment( + array( + 'comment_post_ID' => self::$post_id, + 'comment_author' => 'Author', + 'comment_author_url' => 'http://example.localhost/', + 'comment_author_email' => 'test@test.com', + 'user_id' => self::$user_id, + 'comment_content' => 'click', + ) + ); + + wp_set_current_user( 0 ); + + $admin_id = self::factory()->user->create( + array( + 'role' => 'administrator', + 'user_login' => 'test_wp_admin_get', + 'user_pass' => 'password', + 'user_email' => 'testadmin@test.com', + ) + ); + + wp_set_current_user( $admin_id ); + + wp_update_comment( + array( + 'comment_ID' => $comment_id, + 'comment_content' => 'click', + ) + ); + + $comment = get_comment( $comment_id ); + $this->assertEquals( 'click', $comment->comment_content, 'Comment: ' . $comment->comment_content ); + wp_set_current_user( 0 ); + } + /** * @ticket 30627 * diff --git a/tests/phpunit/tests/rest-api/rest-comments-controller.php b/tests/phpunit/tests/rest-api/rest-comments-controller.php index eb66ee5d41..ef9aec3809 100644 --- a/tests/phpunit/tests/rest-api/rest-comments-controller.php +++ b/tests/phpunit/tests/rest-api/rest-comments-controller.php @@ -2972,6 +2972,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase 'content' => '
div
strong ', 'author_name' => '
div
strong ', 'author_user_agent' => '
div
strong ', + 'author' => self::$editor_id, ), array( 'content' => array( @@ -2980,6 +2981,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase ), 'author_name' => 'div strong', 'author_user_agent' => 'div strong', + 'author' => self::$editor_id, ) ); } else { @@ -2989,6 +2991,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase 'content' => '
div
strong ', 'author_name' => '
div
strong ', 'author_user_agent' => '
div
strong ', + 'author' => self::$editor_id, ), array( 'content' => array( @@ -2997,6 +3000,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase ), 'author_name' => 'div strong', 'author_user_agent' => 'div strong', + 'author' => self::$editor_id, ) ); } @@ -3011,6 +3015,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase 'content' => '\\\&\\\ & &invalid; < < &lt;', 'author_name' => '\\\&\\\ & &invalid; < < &lt;', 'author_user_agent' => '\\\&\\\ & &invalid; < < &lt;', + 'author' => self::$superadmin_id, ), array( 'content' => array( @@ -3019,6 +3024,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase ), 'author_name' => '\\\&\\\ & &invalid; < < &lt;', 'author_user_agent' => '\\\&\\\ & &invalid; < < &lt;', + 'author' => self::$superadmin_id, ) ); } @@ -3032,6 +3038,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase 'content' => '
div
strong ', 'author_name' => '
div
strong ', 'author_user_agent' => '
div
strong ', + 'author' => self::$superadmin_id, ), array( 'content' => array( @@ -3040,6 +3047,7 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase ), 'author_name' => 'div strong', 'author_user_agent' => 'div strong', + 'author' => self::$superadmin_id, ) ); }