[wp-trac] [WordPress Trac] #28323: Incorrect HTML tag filtering in get_comments function.
WordPress Trac
noreply at wordpress.org
Wed May 21 10:32:50 UTC 2014
#28323: Incorrect HTML tag filtering in get_comments function.
--------------------------+-----------------------------
Reporter: Rextc | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Comments | Version: 3.9.1
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
When a guest or normal user posts a comment ending with open HTML tags,
they are not properly closed if comments are shown using the
get_comments() function. This does not occur when using the
wp_list_comments() function.
Example:
Using get_comments(), the following <a> is not properly closed:
{{{
This is a great article.<a href="url to malicious site"><del>
}}}
This causes all the elements below that comment to become a link to the
malicious site. The code being used to show these comments is outlined
below.
{{{
<div id="comments">
<?php
$comments = get_comments(array("post_id" => get_the_ID(),
'order' => 'ASC'));
foreach ($comments as $comment) :
?>
<div class="comment"><?php echo $comment->comment_content;
?></div>
<?php endforeach; ?>
</div>
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/28323>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list