[wp-trac] [WordPress Trac] #61827: wp_check_comment_disallowed_list() can't be used to match unprocessed HTML

WordPress Trac noreply at wordpress.org
Mon Aug 5 23:53:15 UTC 2024


#61827: wp_check_comment_disallowed_list() can't be used to match unprocessed HTML
--------------------------+-----------------------------
 Reporter:  cfinke        |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Comments      |    Version:  6.6.1
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 If I add the entry `href=http` to the Disallowed Comment Keys list, it
 will not send a comment to the Trash even if the original comment matches.

 For example, the comment:

 `<a href=http://example.com/>example</a>`

 will be put in Pending, since before it is checked by
 `wp_check_comment_disallowed_list()`, quotes and attributes are added to
 it, turning it into:

 `<a href="http://example.com/" rel="nofollow ugc">example</a>`

 This means that you couldn't even put this in the Disallowed Comment Keys
 list and have it work:

 `<a href="http://example.com/">`

 since it will be `<a href="http://example.com/" rel="nofollow ugc">` by
 the time it's passed to `wp_check_comment_disallowed_list()`.

 Since this behavior appears to be due to the combination of the effects of
 `wp_filter_kses`, `balanceTags`, and `wp_rel_ugc` rather than a single
 source, a reasonable solution would seem to be to check the original
 unmodified comment data against `wp_check_comment_disallowed_list()` in
 addition to checking the final filtered comment data.

 props to @kbrownkd for discovering the root of this issue.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/61827>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list