Comments: Validate new comments before and after comment data is filtered.

This ensures that a Disallowed Comment Keys match will consistently send the comment to the Trash, by checking both the original unmodified comment data and the final filtered comment data. If the first check has already resulted in a `trash` or `spam` status, the second check is skipped as redundant. Follow-up to [2894], [3851], [48121], [48575]. Props cfinke, kbrownkd, thompsonsj, mi5t4n, devspace, chaion07, engahmeds3ed, SergeyBiryukov. Fixes #61827. git-svn-id: https://develop.svn.wordpress.org/trunk@59267 602fd350-edb4-49c9-b593-d223f7449a82
2025-01-17 12:58:25 +01:00 · 2024-10-21 23:05:53 +00:00 · 2024-10-21 23:05:53 +00:00 · 309ecbd324
commit 309ecbd324
parent 815f0c3f2c
2 changed files with 43 additions and 1 deletions
--- a/src/wp-includes/comment.php
+++ b/src/wp-includes/comment.php
@ -2277,9 +2277,14 @@ function wp_new_comment( $commentdata, $wp_error = false ) {
 		$commentdata['comment_type'] = 'comment';
 	}

+	$commentdata['comment_approved'] = wp_allow_comment( $commentdata, $wp_error );
+
 	$commentdata = wp_filter_comment( $commentdata );

-	$commentdata['comment_approved'] = wp_allow_comment( $commentdata, $wp_error );
+	if ( ! in_array( $commentdata['comment_approved'], array( 'trash', 'spam' ), true ) ) {
+		// Validate the comment again after filters are applied to comment data.
+		$commentdata['comment_approved'] = wp_allow_comment( $commentdata, $wp_error );
+	}

 	if ( is_wp_error( $commentdata['comment_approved'] ) ) {
 		return $commentdata['comment_approved'];
--- a/tests/phpunit/tests/comment/wpHandleCommentSubmission.php
+++ b/tests/phpunit/tests/comment/wpHandleCommentSubmission.php
@ -976,4 +976,41 @@ class Tests_Comment_wpHandleCommentSubmission extends WP_UnitTestCase {
 			'a non-existent parent comment' => array( 'exists' => false ),
 		);
 	}
+
+	public function test_disallowed_keys_match_gives_approved_status_of_trash() {
+		$data = array(
+			'comment_post_ID' => self::$post->ID,
+			'comment'         => 'Comment',
+			'author'          => 'Comment Author',
+			'email'           => 'comment@example.org',
+		);
+
+		update_option( 'disallowed_keys', "Comment\nfoo" );
+
+		$comment = wp_handle_comment_submission( $data );
+
+		$this->assertNotWPError( $comment );
+		$this->assertInstanceOf( 'WP_Comment', $comment );
+		$this->assertSame( 'trash', $comment->comment_approved );
+	}
+
+	/**
+	 * @ticket 61827
+	 */
+	public function test_disallowed_keys_html_match_gives_approved_status_of_trash() {
+		$data = array(
+			'comment_post_ID' => self::$post->ID,
+			'comment'         => '<a href=http://example.com/>example</a>',
+			'author'          => 'Comment Author',
+			'email'           => 'comment@example.org',
+		);
+
+		update_option( 'disallowed_keys', "href=http\nfoo" );
+
+		$comment = wp_handle_comment_submission( $data );
+
+		$this->assertNotWPError( $comment );
+		$this->assertInstanceOf( 'WP_Comment', $comment );
+		$this->assertSame( 'trash', $comment->comment_approved );
+	}
 }