[wp-trac] [WordPress Trac] #48677: Comments are attempted to be parsed as HTML

Sun Nov 17 09:08:25 UTC 2019

#48677: Comments are attempted to be parsed as HTML
-------------------------------------------------+-------------------------
 Reporter:  jqz                                  |      Owner:  (none)
     Type:  defect (bug)                         |     Status:  new
 Priority:  normal                               |  Milestone:  Awaiting
                                                 |  Review
Component:  Comments                             |    Version:  5.2.4
 Severity:  normal                               |   Keywords:
  Focuses:  ui, javascript, docs,                |
  administration, privacy, ui-copy, coding-      |
  standards                                      |
-------------------------------------------------+-------------------------
 I know that historically the comment system allowed HTML in comments.

 But this is 2019.  No-one expects to be able to put HTML into a comment
 nowadays.

 If any formatting should be allowed, it should be Markdown.

 Also, there are many sites, not least wordpress.org, where people would
 like to be able to put examples of HTML into their comment, without it
 being parsed as HTML and the tags stripped.

 ### Example of bug #-1

 #### Steps to reproduce:

 1. Submit a comment with the following content:

 <q>test1</q>
 <div>test2</div>
 <p>test3</p>

 #### Expected result (yes, verbatum, with properly escaped < etc. in
 the page source):

 <q>test1</q>
 <div>test2</div>
 <p>test3</p>

 #### Actual result:

 test1
 test2
 test3

 ### Example of bug #-2

 https://wordpress.org/support/topic/is-not-an-allowed-child-of-2/

 "you broke it. well done =)"

 The fact that I can inadvertently screw up your support page layout with a
 couple of HTML tags in the title or description suggests that there could
 be an XSS attack waiting to happen somewhere.

 ### Conclusion

 Please just allow text only in comments, and include all content of the
 text, including all things that look like HTML tags but are actually
 intended to be presented just as they are, as text.

 You should HTML-escape (`htmlspecialchars`) the content always when it's
 actually rendered to the page, but never at any other time, e.g., when it
 is stored in or retrieved from the database.  If you try to HTML-escape
 content at the wrong time, you will end up with HTML entities displayed on
 the page instead of the intended character (<, >, &, ", ').

 Like I said, no-one expects HTML comments to be supported any more in
 2019, they are more likely to expect Markdown.  Markdown support could be
 provided via a plugin.  Almost no-one posts a picture in a comment by
 inserting an <img> tag, but if that were desirable, there could be a
 plugin for it (e.g. Facebook has a UI to add a picture to a 'status
 update') with a proper UI for uploading.

 This is probably not a security issue, as those should have all been dealt
 with by now, but I can't confidently tick the box to say it isn't.  Though
 apparently I have to to submit this ticket :/

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/48677>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform