[wp-trac] [WordPress Trac] #9934: Apostrophe in comment author
causes comment to be spammed - esc_html
WordPress Trac
wp-trac at lists.automattic.com
Mon May 25 01:15:54 GMT 2009
#9934: Apostrophe in comment author causes comment to be spammed - esc_html
--------------------------+-------------------------------------------------
Reporter: tellyworth | Owner:
Type: defect (bug) | Status: new
Priority: high | Milestone: Unassigned
Component: Comments | Version:
Severity: major | Keywords:
--------------------------+-------------------------------------------------
Since [11380] - which added esc_html filtering to many items - comments
containing an apostrophe (and possibly other characters) in the author
name field are flagged as spam by Wordpress.
The root cause is that esc_html() uses decimal entity encoding, so
{{{O'Connor}}} becomes {{{O'Connor}}}. But wp_blacklist_check()
regards any comment containing a decimal entity as spam (and worse, does
so silently and without any way for the blog administrator to stop it).
Possible solutions:
1. esc_html() should use hex entity encoding, not decimal
2. comment_author_name shouldn't use esc_html()
3. wp_blacklist_check() shouldn't spam comments containing decimal
entities
All three are trivial fixes so I haven't included a patch. I'd favour (1)
if only because it eliminates the regression and reverts to the old
behaviour.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9934>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list