Comments: Restrict the maximum characters for input fields within the comments template.

Added hardcoded maxlength attributes on the author, author_email, author_url, and comment_field input markup. These can be modified via the comment_form_defaults filter. Added logic in wp_handle_comment_submission() to return a WP_Error when the comment_author, comment_author_url, or comment_content values exceed the max length of their columns. Introduces wp_get_comment_column_max_length() which returns the max column length for a given column name, and is filterable. Unit tests included for the error conditions in wp_handle_comment_submission() Fixes #10377. Props westonruter rachelbaker. git-svn-id: https://develop.svn.wordpress.org/trunk@36272 602fd350-edb4-49c9-b593-d223f7449a82
2016-01-13 01:24:46 +00:00 · 2016-01-13 01:24:46 +00:00 · 0e85f45cb4
commit 0e85f45cb4
parent 3212239199
4 changed files with 147 additions and 4 deletions
--- a/src/wp-includes/comment-template.php
+++ b/src/wp-includes/comment-template.php
@ -2099,11 +2099,11 @@ function comment_form( $args = array(), $post_id = null ) {
 	$html5    = 'html5' === $args['format'];
 	$fields   =  array(
 		'author' => '<p class="comment-form-author">' . '<label for="author">' . __( 'Name' ) . ( $req ? ' <span class="required">*</span>' : '' ) . '</label> ' .
-		            '<input id="author" name="author" type="text" value="' . esc_attr( $commenter['comment_author'] ) . '" size="30"' . $aria_req . $html_req . ' /></p>',
+		            '<input id="author" name="author" type="text" value="' . esc_attr( $commenter['comment_author'] ) . '" size="30" maxlength="245"' . $aria_req . $html_req . ' /></p>',
 		'email'  => '<p class="comment-form-email"><label for="email">' . __( 'Email' ) . ( $req ? ' <span class="required">*</span>' : '' ) . '</label> ' .
-		            '<input id="email" name="email" ' . ( $html5 ? 'type="email"' : 'type="text"' ) . ' value="' . esc_attr(  $commenter['comment_author_email'] ) . '" size="30" aria-describedby="email-notes"' . $aria_req . $html_req  . ' /></p>',
+		            '<input id="email" name="email" ' . ( $html5 ? 'type="email"' : 'type="text"' ) . ' value="' . esc_attr(  $commenter['comment_author_email'] ) . '" size="30" maxlength="100" aria-describedby="email-notes"' . $aria_req . $html_req  . ' /></p>',
 		'url'    => '<p class="comment-form-url"><label for="url">' . __( 'Website' ) . '</label> ' .
-		            '<input id="url" name="url" ' . ( $html5 ? 'type="url"' : 'type="text"' ) . ' value="' . esc_attr( $commenter['comment_author_url'] ) . '" size="30" /></p>',
+		            '<input id="url" name="url" ' . ( $html5 ? 'type="url"' : 'type="text"' ) . ' value="' . esc_attr( $commenter['comment_author_url'] ) . '" size="30" maxlength="200" /></p>',
 	);

 	$required_text = sprintf( ' ' . __('Required fields are marked %s'), '<span class="required">*</span>' );
@ -2118,7 +2118,7 @@ function comment_form( $args = array(), $post_id = null ) {
 	$fields = apply_filters( 'comment_form_default_fields', $fields );
 	$defaults = array(
 		'fields'               => $fields,
-		'comment_field'        => '<p class="comment-form-comment"><label for="comment">' . _x( 'Comment', 'noun' ) . '</label> <textarea id="comment" name="comment" cols="45" rows="8"  aria-required="true" required="required"></textarea></p>',
+		'comment_field'        => '<p class="comment-form-comment"><label for="comment">' . _x( 'Comment', 'noun' ) . '</label> <textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" aria-required="true" required="required"></textarea></p>',
 		/** This filter is documented in wp-includes/link-template.php */
 		'must_log_in'          => '<p class="must-log-in">' . sprintf( __( 'You must be <a href="%s">logged in</a> to post a comment.' ), wp_login_url( apply_filters( 'the_permalink', get_permalink( $post_id ) ) ) ) . '</p>',
 		/** This filter is documented in wp-includes/link-template.php */
--- a/src/wp-includes/comment.php
+++ b/src/wp-includes/comment.php
@ -947,6 +947,43 @@ function get_page_of_comment( $comment_ID, $args = array() ) {
 	return apply_filters( 'get_page_of_comment', (int) $page, $args, $original_args );
 }

+/**
+ * Calculate the maximum character length of a column from the comments table.
+ *
+ * @since 4.5.0
+ *
+ * @global wpdb $wpdb WordPress database abstraction object.
+ *
+ * @param string $column Name of a column in the comments table.
+ * @return int Maximum column character length.
+ */
+function wp_get_comment_column_max_length( $column ) {
+	global $wpdb;
+
+	$col_length = $wpdb->get_col_length( $wpdb->comments, $column );
+	if ( ! is_array( $col_length ) && (int) $col_length > 0 ) {
+		$max_length = (int) $col_length;
+	} elseif ( is_array( $col_length ) && isset( $col_length['length'] ) && intval( $col_length['length'] ) > 0 ) {
+		$max_length = (int) $col_length['length'];
+	} else {
+		$max_length = 255;
+	}
+
+	if ( ! empty( $col_length['type'] ) && 'byte' === $col_length['type'] ) {
+		$max_length = $max_length - 10;
+	}
+
+	/**
+	 * Filters the calculated length for a given column of the comments table.
+	 *
+	 * @since 4.5.0
+	 *
+	 * @param int    $max_length Maximum column character length.
+	 * @param string $column     Column name.
+	 */
+	return apply_filters( 'wp_get_comment_column_max_length', $max_length, $column );
+}
+
 /**
 * Does comment contain blacklisted characters or words.
 *
@ -2778,8 +2815,22 @@ function wp_handle_comment_submission( $comment_data ) {
 		}
 	}

+	if ( isset( $comment_author ) && wp_get_comment_column_max_length( 'comment_author' ) < mb_strlen( $comment_author, '8bit' ) ) {
+		return new WP_Error( 'comment_author_column_length', __( '<strong>ERROR</strong>: your name is too long.' ), 200 );
+	}
+
+	if ( isset( $comment_author_email ) && wp_get_comment_column_max_length( 'comment_author_email' ) < strlen( $comment_author_email ) ) {
+		return new WP_Error( 'comment_author_email_column_length', __( '<strong>ERROR</strong>: your email address is too long.' ), 200 );
+	}
+
+	if ( isset( $comment_author_url ) && wp_get_comment_column_max_length( 'comment_author_url' ) < strlen( $comment_author_url ) ) {
+		return new WP_Error( 'comment_author_url_column_length', __( '<strong>ERROR</strong>: your url is too long.' ), 200 );
+	}
+
 	if ( '' == $comment_content ) {
 		return new WP_Error( 'require_valid_comment', __( '<strong>ERROR</strong>: please type a comment.' ), 200 );
+	} elseif ( wp_get_comment_column_max_length( 'comment_content' ) < mb_strlen( $comment_content, '8bit' ) ) {
+		return new WP_Error( 'comment_content_column_length', __( '<strong>ERROR</strong>: your comment is too long.' ), 200 );
 	}

 	$commentdata = compact(
--- a/tests/phpunit/includes/utils.php
+++ b/tests/phpunit/includes/utils.php
@ -6,6 +6,18 @@ function rand_str($len=32) {
 	return substr(md5(uniqid(rand())), 0, $len);
 }

+function rand_long_str( $length ) {
+	$chars = 'abcdefghijklmnopqrstuvwxyz';
+	$string = '';
+
+	for ( $i = 0; $i < $length; $i++ ) {
+		$rand = rand( 0, strlen( $chars ) - 1 );
+		$string .= substr( $chars, $rand, 1 );
+	}
+
+	return $string;
+}
+
 // strip leading and trailing whitespace from each line in the string
 function strip_ws($txt) {
 	$lines = explode("\n", $txt);
--- a/tests/phpunit/tests/comment-submission.php
+++ b/tests/phpunit/tests/comment-submission.php
@ -592,6 +592,86 @@ class Tests_Comment_Submission extends WP_UnitTestCase {

 	}

+	/**
+	 * @ticket 10377
+	 */
+	public function test_submitting_comment_with_content_too_long_returns_error() {
+		$error = 'comment_content_column_length';
+
+		$post = self::factory()->post->create_and_get();
+
+		$data = array(
+			'comment_post_ID' => $post->ID,
+			'comment'         => rand_long_str( 65536 ),
+			'author'          => 'Comment Author',
+			'email'           => 'comment@example.org',
+		);
+		$comment = wp_handle_comment_submission( $data );
+
+		$this->assertWPError( $comment );
+		$this->assertSame( $error, $comment->get_error_code() );
+	}
+
+	/**
+	 * @ticket 10377
+	 */
+	public function test_submitting_comment_with_author_too_long_returns_error() {
+		$error = 'comment_author_column_length';
+
+		$post = self::factory()->post->create_and_get();
+
+		$data = array(
+			'comment_post_ID' => $post->ID,
+			'comment'         => rand_str(),
+			'author'          => rand_long_str( 255 ),
+			'email'           => 'comment@example.org',
+		);
+		$comment = wp_handle_comment_submission( $data );
+
+		$this->assertWPError( $comment );
+		$this->assertSame( $error, $comment->get_error_code() );
+	}
+
+	/**
+	 * @ticket 10377
+	 */
+	public function test_submitting_comment_with_email_too_long_returns_error() {
+		$error = 'comment_author_email_column_length';
+
+		$post = self::factory()->post->create_and_get();
+
+		$data = array(
+			'comment_post_ID' => $post->ID,
+			'comment'         => rand_str(),
+			'author'          => 'Comment Author',
+			'email'           => rand_long_str( 90 ) . '@example.com',
+		);
+		$comment = wp_handle_comment_submission( $data );
+
+		$this->assertWPError( $comment );
+		$this->assertSame( $error, $comment->get_error_code() );
+	}
+
+	/**
+	 * @ticket 10377
+	 */
+	public function test_submitting_comment_with_url_too_long_returns_error() {
+		$error = 'comment_author_url_column_length';
+
+		$post = self::factory()->post->create_and_get();
+		$data = array(
+			'comment_post_ID' => $post->ID,
+			'comment'         => rand_str(),
+			'author'          => 'Comment Author',
+			'email'           => 'comment@example.org',
+			'url'             => rand_long_str( 201 ),
+		);
+		$comment = wp_handle_comment_submission( $data );
+
+		$this->assertWPError( $comment );
+		$this->assertSame( $error, $comment->get_error_code() );
+	}
+
 	/**
 	 * @ticket 34997
 	 */