[wp-trac] [WordPress Trac] #38477: Missing validation while posting comment via REST API

WordPress Trac noreply at wordpress.org
Wed Oct 26 04:06:53 UTC 2016


#38477: Missing validation while posting comment via REST API
-------------------------------------+--------------------
 Reporter:  mangeshp                 |       Owner:
     Type:  defect (bug)             |      Status:  new
 Priority:  normal                   |   Milestone:  4.7
Component:  REST API                 |     Version:  trunk
 Severity:  normal                   |  Resolution:
 Keywords:  has-patch needs-refresh  |     Focuses:
-------------------------------------+--------------------
Changes (by rachelbaker):

 * keywords:  has-patch => has-patch needs-refresh


Comment:

 @mangeshp Thank you for the patches.

 `a at b.c` is a valid email according to the
 [https://tools.ietf.org/html/rfc2822 RFC].  We already check `is_email()`
 with `rest_validate_request_arg()` so there is no need to duplicate the
 logic here.

 In your patch it looks like you are only checking the lengths of values
 when a comment is created AND only if the `require_name_email` option is
 enabled.  It would be better to move the string length checks into the
 `prepare_item_for_database()` method so we can check lengths on update
 actions as well.

 @salcode was already working on a patch via Github here:
 https://github.com/WP-API/WP-API/pull/2858 that also included unit tests,
 but needed to be converted to a Trac patch.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38477#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list