[wp-trac] [WordPress Trac] #38477: Missing validation while posting comment via REST API
WordPress Trac
noreply at wordpress.org
Wed Oct 26 07:19:56 UTC 2016
#38477: Missing validation while posting comment via REST API
-------------------------------------+--------------------
Reporter: mangeshp | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.7
Component: REST API | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch needs-refresh | Focuses:
-------------------------------------+--------------------
Comment (by mangeshp):
@rachelbaker Thank you for the feedback.
I checked the pull request and also the feedback you have given on the
GitHub repo.
I would like to point out two major things from the PR
Following is the sample code from PR:
{{{return new WP_Error( 'comment_author_column_length', __(
'<strong>ERROR</strong>: your name is too long.' ), array( 'status' => 400
) );}}}
You can see that `comment_author_column_length` is not following the same
pattern as other parameters we are using in all other classes. It should
be like this `rest_comment_author_column_length`. Also, HTML entities like
`<strong>` should not be there in error messages. The error messages
should be plain text in API.
It's better to move the string length checks into the
`prepare_item_for_database()` and also the check should be done in
`create_item()`, because the filter `rest_preprocess_comment` in
`prepare_item_for_database()` may send the incorrect values in
`$prepared_comment`. Which need to be checked once again.
Let me know your opinion the above points.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38477#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list