[wp-trac] [WordPress Trac] #61827: wp_check_comment_disallowed_list() can't be used to match unprocessed HTML
WordPress Trac
noreply at wordpress.org
Sat Sep 7 10:37:07 UTC 2024
#61827: wp_check_comment_disallowed_list() can't be used to match unprocessed HTML
--------------------------------------+---------------------
Reporter: cfinke | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 6.7
Component: Comments | Version: 6.6.1
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests | Focuses:
--------------------------------------+---------------------
Comment (by devspace):
This issue arises because the wp_check_comment_disallowed_list() function,
which is responsible for checking comments against the list of disallowed
keys, processes the HTML content of the comment after it has been
filtered. During the filtering, HTML elements are sanitized and attributes
like rel="nofollow ugc" are added to links. This modification prevents the
original disallowed key from being matched correctly.
As you've identified, the disallowed key, such as href=http, won't trigger
the expected behavior because by the time the comment reaches the check,
the link attributes have been transformed into something like <a
href="http://example.com/" rel="nofollow ugc">.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/61827#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list