[wp-trac] [WordPress Trac] #61827: wp_check_comment_disallowed_list() can't be used to match unprocessed HTML
WordPress Trac
noreply at wordpress.org
Mon Aug 5 23:53:15 UTC 2024
#61827: wp_check_comment_disallowed_list() can't be used to match unprocessed HTML
--------------------------+-----------------------------
Reporter: cfinke | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Comments | Version: 6.6.1
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
If I add the entry `href=http` to the Disallowed Comment Keys list, it
will not send a comment to the Trash even if the original comment matches.
For example, the comment:
`<a href=http://example.com/>example</a>`
will be put in Pending, since before it is checked by
`wp_check_comment_disallowed_list()`, quotes and attributes are added to
it, turning it into:
`<a href="http://example.com/" rel="nofollow ugc">example</a>`
This means that you couldn't even put this in the Disallowed Comment Keys
list and have it work:
`<a href="http://example.com/">`
since it will be `<a href="http://example.com/" rel="nofollow ugc">` by
the time it's passed to `wp_check_comment_disallowed_list()`.
Since this behavior appears to be due to the combination of the effects of
`wp_filter_kses`, `balanceTags`, and `wp_rel_ugc` rather than a single
source, a reasonable solution would seem to be to check the original
unmodified comment data against `wp_check_comment_disallowed_list()` in
addition to checking the final filtered comment data.
props to @kbrownkd for discovering the root of this issue.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/61827>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list