[wp-trac] [WordPress Trac] #62644: Editing comments as an admin, in the Admin UI, filters the HTML elements of the comment as though the edit was done by the original author.

Wed Dec 4 21:04:38 UTC 2024

#62644: Editing comments as an admin, in the Admin UI, filters the HTML elements of
the comment as though the edit was done by the original author.
--------------------------+-----------------------------
 Reporter:  turbodb       |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Comments      |    Version:  6.7.1
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 **Problem Description:**

 I know that comments don’t allow img elements by default (for unregistered
 users). For privacy/spam reasons, of course. On my site, I manually
 moderate all comments, so this is less of an issue for me, and there are
 times when it is important for people (not signed-in users) to be able to
 link to images.

 **Repro Steps:**

 1. Add the following code to {{{functions.php}}}, which will allow non-
 registered users to include the {{{<img>}}} element in comment contents.

 {{{

 function add_post_comment_html_tags( $commentdata ) {

   global $allowedtags;
   $new_tags = [
     'img'=> [
                 'src'=> true,
                 'class'=> true,
                 'style'=> true,
                 'alt'=> true
     ]
   ];
   $allowedtags = array_merge( $allowedtags, $new_tags );
 }
 add_action('pre_comment_on_post', 'add_post_comment_html_tags' );

 }}}

 2. As a non-registered user, leave a comment on a post, utilizing the
 {{{<img>}}} HTML element to include an image.

 ''===> Note that the image is successfully allowed into the comment.''

 3. Log in to the site as an administrator and navigate to the Comments
 page in Admin UI.

 4. Edit (or Quick Edit) the comment, and change the contents slightly, but
 leave the {{{<img>}}} element alone.

 5. Save your changes.

 **Result:**

 Once the comment is saved by the admin, the {{{<img>}}} element is removed
 entirely, even though the administrator can create comments - either in
 the admin UI or frontend - that contain {{{<img>}}} elements.

 This happens because the comment edit is committed as / impersonates the
 original comment author on save, and is not executed as the current editor
 (administrator) in the Admin UI. Further, because the comment already
 exists, the {{{pre_comment_on_post}}} action is not called, so {{{<img>}}}
 is not added to the {{{global $allowedtags}}}.

 **Expect:**

 I would expect one of two things:

 1. That edits to comments in the admin UI are performed *as the current
 user editing the comment* instead of as the original comment author.

 2. That there be a way to modify the {{{global $allowedtags}}} for comment
 edits, in the same way that there is for comment creation.

 **Notes:**
 1. I originally brought this up here, for a bit more context:
 https://wordpress.org/support/topic/how-to-prevent-editing-of-comments-as-
 admin-from-stripping-images/
 2. There may already be a filter/hook that serves this purpose, but I
 couldn't find one in the docs. I tried {{{comment_save_pre}}}, which did
 not work successfully.
 3. If the administrator edits a comment that was originally created by an
 administrator (or any user with the {{{unfiltered_html}}} capability),
 then the {{{<img>}}} is not removed. (as expected)

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/62644>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform