From 0e85f45cb43dca057244826388339f47743a9cdc Mon Sep 17 00:00:00 2001 From: Rachel Baker Date: Wed, 13 Jan 2016 01:24:46 +0000 Subject: [PATCH] Comments: Restrict the maximum characters for input fields within the comments template. Added hardcoded maxlength attributes on the author, author_email, author_url, and comment_field input markup. These can be modified via the comment_form_defaults filter. Added logic in wp_handle_comment_submission() to return a WP_Error when the comment_author, comment_author_url, or comment_content values exceed the max length of their columns. Introduces wp_get_comment_column_max_length() which returns the max column length for a given column name, and is filterable. Unit tests included for the error conditions in wp_handle_comment_submission() Fixes #10377. Props westonruter rachelbaker. git-svn-id: https://develop.svn.wordpress.org/trunk@36272 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/comment-template.php | 8 +-- src/wp-includes/comment.php | 51 ++++++++++++++ tests/phpunit/includes/utils.php | 12 ++++ tests/phpunit/tests/comment-submission.php | 80 ++++++++++++++++++++++ 4 files changed, 147 insertions(+), 4 deletions(-) diff --git a/src/wp-includes/comment-template.php b/src/wp-includes/comment-template.php index e1dbd241ef..523422e7df 100644 --- a/src/wp-includes/comment-template.php +++ b/src/wp-includes/comment-template.php @@ -2099,11 +2099,11 @@ function comment_form( $args = array(), $post_id = null ) { $html5 = 'html5' === $args['format']; $fields = array( 'author' => '

' . ' ' . - '

', + '

', 'email' => '

' . - '

', + '

', 'url' => '

' . - '

', + '

', ); $required_text = sprintf( ' ' . __('Required fields are marked %s'), '*' ); @@ -2118,7 +2118,7 @@ function comment_form( $args = array(), $post_id = null ) { $fields = apply_filters( 'comment_form_default_fields', $fields ); $defaults = array( 'fields' => $fields, - 'comment_field' => '

', + 'comment_field' => '

', /** This filter is documented in wp-includes/link-template.php */ 'must_log_in' => '

' . sprintf( __( 'You must be logged in to post a comment.' ), wp_login_url( apply_filters( 'the_permalink', get_permalink( $post_id ) ) ) ) . '

', /** This filter is documented in wp-includes/link-template.php */ diff --git a/src/wp-includes/comment.php b/src/wp-includes/comment.php index 41c586c60f..b9d084c997 100644 --- a/src/wp-includes/comment.php +++ b/src/wp-includes/comment.php @@ -947,6 +947,43 @@ function get_page_of_comment( $comment_ID, $args = array() ) { return apply_filters( 'get_page_of_comment', (int) $page, $args, $original_args ); } +/** + * Calculate the maximum character length of a column from the comments table. + * + * @since 4.5.0 + * + * @global wpdb $wpdb WordPress database abstraction object. + * + * @param string $column Name of a column in the comments table. + * @return int Maximum column character length. + */ +function wp_get_comment_column_max_length( $column ) { + global $wpdb; + + $col_length = $wpdb->get_col_length( $wpdb->comments, $column ); + if ( ! is_array( $col_length ) && (int) $col_length > 0 ) { + $max_length = (int) $col_length; + } elseif ( is_array( $col_length ) && isset( $col_length['length'] ) && intval( $col_length['length'] ) > 0 ) { + $max_length = (int) $col_length['length']; + } else { + $max_length = 255; + } + + if ( ! empty( $col_length['type'] ) && 'byte' === $col_length['type'] ) { + $max_length = $max_length - 10; + } + + /** + * Filters the calculated length for a given column of the comments table. + * + * @since 4.5.0 + * + * @param int $max_length Maximum column character length. + * @param string $column Column name. + */ + return apply_filters( 'wp_get_comment_column_max_length', $max_length, $column ); +} + /** * Does comment contain blacklisted characters or words. * @@ -2778,8 +2815,22 @@ function wp_handle_comment_submission( $comment_data ) { } } + if ( isset( $comment_author ) && wp_get_comment_column_max_length( 'comment_author' ) < mb_strlen( $comment_author, '8bit' ) ) { + return new WP_Error( 'comment_author_column_length', __( 'ERROR: your name is too long.' ), 200 ); + } + + if ( isset( $comment_author_email ) && wp_get_comment_column_max_length( 'comment_author_email' ) < strlen( $comment_author_email ) ) { + return new WP_Error( 'comment_author_email_column_length', __( 'ERROR: your email address is too long.' ), 200 ); + } + + if ( isset( $comment_author_url ) && wp_get_comment_column_max_length( 'comment_author_url' ) < strlen( $comment_author_url ) ) { + return new WP_Error( 'comment_author_url_column_length', __( 'ERROR: your url is too long.' ), 200 ); + } + if ( '' == $comment_content ) { return new WP_Error( 'require_valid_comment', __( 'ERROR: please type a comment.' ), 200 ); + } elseif ( wp_get_comment_column_max_length( 'comment_content' ) < mb_strlen( $comment_content, '8bit' ) ) { + return new WP_Error( 'comment_content_column_length', __( 'ERROR: your comment is too long.' ), 200 ); } $commentdata = compact( diff --git a/tests/phpunit/includes/utils.php b/tests/phpunit/includes/utils.php index 00d1b32852..bbffa4ec98 100644 --- a/tests/phpunit/includes/utils.php +++ b/tests/phpunit/includes/utils.php @@ -6,6 +6,18 @@ function rand_str($len=32) { return substr(md5(uniqid(rand())), 0, $len); } +function rand_long_str( $length ) { + $chars = 'abcdefghijklmnopqrstuvwxyz'; + $string = ''; + + for ( $i = 0; $i < $length; $i++ ) { + $rand = rand( 0, strlen( $chars ) - 1 ); + $string .= substr( $chars, $rand, 1 ); + } + + return $string; +} + // strip leading and trailing whitespace from each line in the string function strip_ws($txt) { $lines = explode("\n", $txt); diff --git a/tests/phpunit/tests/comment-submission.php b/tests/phpunit/tests/comment-submission.php index 7c480474eb..8c42db9318 100644 --- a/tests/phpunit/tests/comment-submission.php +++ b/tests/phpunit/tests/comment-submission.php @@ -592,6 +592,86 @@ class Tests_Comment_Submission extends WP_UnitTestCase { } + /** + * @ticket 10377 + */ + public function test_submitting_comment_with_content_too_long_returns_error() { + $error = 'comment_content_column_length'; + + $post = self::factory()->post->create_and_get(); + + $data = array( + 'comment_post_ID' => $post->ID, + 'comment' => rand_long_str( 65536 ), + 'author' => 'Comment Author', + 'email' => 'comment@example.org', + ); + $comment = wp_handle_comment_submission( $data ); + + $this->assertWPError( $comment ); + $this->assertSame( $error, $comment->get_error_code() ); + } + + /** + * @ticket 10377 + */ + public function test_submitting_comment_with_author_too_long_returns_error() { + $error = 'comment_author_column_length'; + + $post = self::factory()->post->create_and_get(); + + $data = array( + 'comment_post_ID' => $post->ID, + 'comment' => rand_str(), + 'author' => rand_long_str( 255 ), + 'email' => 'comment@example.org', + ); + $comment = wp_handle_comment_submission( $data ); + + $this->assertWPError( $comment ); + $this->assertSame( $error, $comment->get_error_code() ); + } + + /** + * @ticket 10377 + */ + public function test_submitting_comment_with_email_too_long_returns_error() { + $error = 'comment_author_email_column_length'; + + $post = self::factory()->post->create_and_get(); + + $data = array( + 'comment_post_ID' => $post->ID, + 'comment' => rand_str(), + 'author' => 'Comment Author', + 'email' => rand_long_str( 90 ) . '@example.com', + ); + $comment = wp_handle_comment_submission( $data ); + + $this->assertWPError( $comment ); + $this->assertSame( $error, $comment->get_error_code() ); + } + + /** + * @ticket 10377 + */ + public function test_submitting_comment_with_url_too_long_returns_error() { + $error = 'comment_author_url_column_length'; + + $post = self::factory()->post->create_and_get(); + $data = array( + 'comment_post_ID' => $post->ID, + 'comment' => rand_str(), + 'author' => 'Comment Author', + 'email' => 'comment@example.org', + 'url' => rand_long_str( 201 ), + ); + $comment = wp_handle_comment_submission( $data ); + + $this->assertWPError( $comment ); + $this->assertSame( $error, $comment->get_error_code() ); + } + /** * @ticket 34997 */