[wp-trac] [WordPress Trac] #49869: Apply comment field filters to backend

Fri Dec 9 04:22:52 UTC 2022

#49869: Apply comment field filters to backend
--------------------------+------------------------------
 Reporter:  ttodua        |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Comments      |     Version:
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
--------------------------+------------------------------

Comment (by bonjour52):

 Hello,

 I've checked the top Internet search results for removing the comment
 author URL, as well as the top WordPress plugins for achieving the same
 goal. They **all** rely exclusively on the `comment_form_default_fields`
 filter, which, as you argued correctly, is bypassed and mocked by bots.
 Instead of using comment fields, bots actually use POST request fields to
 action `wp-comments-post.php`: they couldn't care less which comment
 fields are hidden, and which ones are shown.

 Now, after browsing WordPress' code, I stumbled on filter
 `preprocess_comment`:

 **"Filters a comment’s data before it is sanitized and inserted into the
 database."**
 [https://developer.wordpress.org/reference/hooks/preprocess_comment/]

 This was a revelation, honnestly! I think that, as long as people realize
 that `preprocess_comment` is available, it is a perfectly robust solution.
 It's just that the top references on the Internet seem to either ignore
 the existance of `preprocess_comment` or being very naive about what
 `comment_form_default_fields` does.

 Anyway, I ended up writing the following code snippet for my site, which
 blocks comments with non-empty author URL (since I wrote it for myself, it
 is in French):

 {{{#!php
 <?php
 function verifier_commentaire( $donnees_commentaire ) {
         if( !empty( $donnees_commentaire['comment_author_url'] ) ) {
                 wp_die( '<strong>ERREUR</strong> : Le message d’erreur.',
 'Le titre', array( 'response' => 403 ) );
         }
         return $donnees_commentaire;
 }
 add_filter( 'preprocess_comment', 'verifier_commentaire' );
 }}}

 Finally, here is a debug test code I used for posting a comment from a
 bot's perspective. Test first by including the `'url'=>…` line, and then
 by removing it.

 {{{#!php
 <?php
 $app = curl_init();
 curl_setopt( $app, CURLOPT_URL,"https://www.test.com/wp-comments-post.php"
 );
 curl_setopt( $app, CURLOPT_POST, 1 );
 curl_setopt( $app, CURLOPT_RETURNTRANSFER, 1 );
 curl_setopt( $app, CURLOPT_FOLLOWLOCATION, 1 );
 curl_setopt( $app, CURLOPT_SSL_VERIFYPEER, 0 );
 $donnees = array(
     'comment_post_ID'=>14259,
     'author'=>'Nom d’auteur',
     'email'=>'adresse at auteur.com',
     'url'=>'https://www.auteur.net',
     'comment'=>'Texte du commentaire',
     'submit'=>'Envoyer'
 );
 curl_setopt( $app, CURLOPT_POSTFIELDS, $donnees );
 $resultat = curl_exec( $app );
 curl_close( $app );
 echo "RÉSULTAT : " . $resultat;

 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49869#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform