REST API: Return an error when the length of a comment field is too long.
Introduces `wp_check_comment_data_max_lengths()` which allows both the REST API comments endpoints and `wp_handle_comment_submission()` to check the length of the comment content, author name, author url, and author email fields against their respective database columns. Props rachelbaker, mangeshp, salcode, pento. Fixes #38477. git-svn-id: https://develop.svn.wordpress.org/trunk@39101 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
parent
73c595f3e4
commit
c962a98980
@ -1121,6 +1121,37 @@ function wp_get_comment_fields_max_lengths() {
|
|||||||
return apply_filters( 'wp_get_comment_fields_max_lengths', $lengths );
|
return apply_filters( 'wp_get_comment_fields_max_lengths', $lengths );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Compares the lengths of comment data against the maximum character limits.
|
||||||
|
*
|
||||||
|
* @since 4.7.0
|
||||||
|
*
|
||||||
|
* @param array $comment_data Array of arguments for inserting a comment.
|
||||||
|
* @return WP_Error|true WP_Error when a comment field exceeds the limit,
|
||||||
|
* otherwise true.
|
||||||
|
*/
|
||||||
|
function wp_check_comment_data_max_lengths( $comment_data ) {
|
||||||
|
$max_lengths = wp_get_comment_fields_max_lengths();
|
||||||
|
|
||||||
|
if ( isset( $comment_data['comment_author'] ) && mb_strlen( $comment_data['comment_author'], '8bit' ) > $max_lengths['comment_author'] ) {
|
||||||
|
return new WP_Error( 'comment_author_column_length', __( '<strong>ERROR</strong>: your name is too long.' ), 200 );
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( isset( $comment_data['comment_author_email'] ) && strlen( $comment_data['comment_author_email'] ) > $max_lengths['comment_author_email'] ) {
|
||||||
|
return new WP_Error( 'comment_author_email_column_length', __( '<strong>ERROR</strong>: your email address is too long.' ), 200 );
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( isset( $comment_data['comment_author_url'] ) && strlen( $comment_data['comment_author_url'] ) > $max_lengths['comment_author_url'] ) {
|
||||||
|
return new WP_Error( 'comment_author_url_column_length', __( '<strong>ERROR</strong>: your url is too long.' ), 200 );
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( isset( $comment_data['comment_content'] ) && mb_strlen( $comment_data['comment_content'], '8bit' ) > $max_lengths['comment_content'] ) {
|
||||||
|
return new WP_Error( 'comment_content_column_length', __( '<strong>ERROR</strong>: your comment is too long.' ), 200 );
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Does comment contain blacklisted characters or words.
|
* Does comment contain blacklisted characters or words.
|
||||||
*
|
*
|
||||||
@ -3032,7 +3063,6 @@ function wp_handle_comment_submission( $comment_data ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$comment_type = '';
|
$comment_type = '';
|
||||||
$max_lengths = wp_get_comment_fields_max_lengths();
|
|
||||||
|
|
||||||
if ( get_option( 'require_name_email' ) && ! $user->exists() ) {
|
if ( get_option( 'require_name_email' ) && ! $user->exists() ) {
|
||||||
if ( 6 > strlen( $comment_author_email ) || '' == $comment_author ) {
|
if ( 6 > strlen( $comment_author_email ) || '' == $comment_author ) {
|
||||||
@ -3042,22 +3072,8 @@ function wp_handle_comment_submission( $comment_data ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( isset( $comment_author ) && $max_lengths['comment_author'] < mb_strlen( $comment_author, '8bit' ) ) {
|
|
||||||
return new WP_Error( 'comment_author_column_length', __( '<strong>ERROR</strong>: your name is too long.' ), 200 );
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( isset( $comment_author_email ) && $max_lengths['comment_author_email'] < strlen( $comment_author_email ) ) {
|
|
||||||
return new WP_Error( 'comment_author_email_column_length', __( '<strong>ERROR</strong>: your email address is too long.' ), 200 );
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( isset( $comment_author_url ) && $max_lengths['comment_author_url'] < strlen( $comment_author_url ) ) {
|
|
||||||
return new WP_Error( 'comment_author_url_column_length', __( '<strong>ERROR</strong>: your url is too long.' ), 200 );
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( '' == $comment_content ) {
|
if ( '' == $comment_content ) {
|
||||||
return new WP_Error( 'require_valid_comment', __( '<strong>ERROR</strong>: please type a comment.' ), 200 );
|
return new WP_Error( 'require_valid_comment', __( '<strong>ERROR</strong>: please type a comment.' ), 200 );
|
||||||
} elseif ( $max_lengths['comment_content'] < mb_strlen( $comment_content, '8bit' ) ) {
|
|
||||||
return new WP_Error( 'comment_content_column_length', __( '<strong>ERROR</strong>: your comment is too long.' ), 200 );
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$commentdata = compact(
|
$commentdata = compact(
|
||||||
@ -3071,6 +3087,11 @@ function wp_handle_comment_submission( $comment_data ) {
|
|||||||
'user_ID'
|
'user_ID'
|
||||||
);
|
);
|
||||||
|
|
||||||
|
$check_max_lengths = wp_check_comment_data_max_lengths( $commentdata );
|
||||||
|
if ( is_wp_error( $check_max_lengths ) ) {
|
||||||
|
return $check_max_lengths;
|
||||||
|
}
|
||||||
|
|
||||||
$comment_id = wp_new_comment( wp_slash( $commentdata ), true );
|
$comment_id = wp_new_comment( wp_slash( $commentdata ), true );
|
||||||
if ( is_wp_error( $comment_id ) ) {
|
if ( is_wp_error( $comment_id ) ) {
|
||||||
return $comment_id;
|
return $comment_id;
|
||||||
|
@ -484,6 +484,12 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
|
|||||||
$prepared_comment['comment_agent'] = '';
|
$prepared_comment['comment_agent'] = '';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$check_comment_lengths = wp_check_comment_data_max_lengths( $prepared_comment );
|
||||||
|
if ( is_wp_error( $check_comment_lengths ) ) {
|
||||||
|
$error_code = $check_comment_lengths->get_error_code();
|
||||||
|
return new WP_Error( $error_code, __( 'Comment field exceeds maximum length allowed.' ), array( 'status' => 400 ) );
|
||||||
|
}
|
||||||
|
|
||||||
$prepared_comment['comment_approved'] = wp_allow_comment( $prepared_comment, true );
|
$prepared_comment['comment_approved'] = wp_allow_comment( $prepared_comment, true );
|
||||||
|
|
||||||
if ( is_wp_error( $prepared_comment['comment_approved'] ) ) {
|
if ( is_wp_error( $prepared_comment['comment_approved'] ) ) {
|
||||||
@ -631,6 +637,12 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
|
|||||||
|
|
||||||
$prepared_args['comment_ID'] = $id;
|
$prepared_args['comment_ID'] = $id;
|
||||||
|
|
||||||
|
$check_comment_lengths = wp_check_comment_data_max_lengths( $prepared_args );
|
||||||
|
if ( is_wp_error( $check_comment_lengths ) ) {
|
||||||
|
$error_code = $check_comment_lengths->get_error_code();
|
||||||
|
return new WP_Error( $error_code, __( 'Comment field exceeds maximum length allowed.' ), array( 'status' => 400 ) );
|
||||||
|
}
|
||||||
|
|
||||||
$updated = wp_update_comment( $prepared_args );
|
$updated = wp_update_comment( $prepared_args );
|
||||||
|
|
||||||
if ( 0 === $updated ) {
|
if ( 0 === $updated ) {
|
||||||
|
@ -1352,6 +1352,98 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
|
|||||||
$this->assertEquals( 400, $response->get_status() );
|
$this->assertEquals( 400, $response->get_status() );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @ticket 38477
|
||||||
|
*/
|
||||||
|
public function test_create_comment_author_name_too_long() {
|
||||||
|
wp_set_current_user( 0 );
|
||||||
|
|
||||||
|
$params = array(
|
||||||
|
'post' => self::$post_id,
|
||||||
|
'author_name' => rand_long_str( 246 ),
|
||||||
|
'author_email' => 'murphy@gingivitis.com',
|
||||||
|
'author_url' => 'http://jazz.gingivitis.com',
|
||||||
|
'content' => 'This isn\'t a saxophone. It\'s an umbrella.',
|
||||||
|
'date' => '1995-04-30T10:22:00',
|
||||||
|
);
|
||||||
|
$request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
|
||||||
|
|
||||||
|
$request->add_header( 'content-type', 'application/json' );
|
||||||
|
$request->set_body( wp_json_encode( $params ) );
|
||||||
|
$response = $this->server->dispatch( $request );
|
||||||
|
|
||||||
|
$this->assertErrorResponse( 'comment_author_column_length', $response, 400 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @ticket 38477
|
||||||
|
*/
|
||||||
|
public function test_create_comment_author_email_too_long() {
|
||||||
|
wp_set_current_user( 0 );
|
||||||
|
|
||||||
|
$params = array(
|
||||||
|
'post' => self::$post_id,
|
||||||
|
'author_name' => 'Bleeding Gums Murphy',
|
||||||
|
'author_email' => 'murphy@' . rand_long_str( 190 ) . '.com',
|
||||||
|
'author_url' => 'http://jazz.gingivitis.com',
|
||||||
|
'content' => 'This isn\'t a saxophone. It\'s an umbrella.',
|
||||||
|
'date' => '1995-04-30T10:22:00',
|
||||||
|
);
|
||||||
|
$request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
|
||||||
|
|
||||||
|
$request->add_header( 'content-type', 'application/json' );
|
||||||
|
$request->set_body( wp_json_encode( $params ) );
|
||||||
|
$response = $this->server->dispatch( $request );
|
||||||
|
|
||||||
|
$this->assertErrorResponse( 'comment_author_email_column_length', $response, 400 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @ticket 38477
|
||||||
|
*/
|
||||||
|
public function test_create_comment_author_url_too_long() {
|
||||||
|
wp_set_current_user( 0 );
|
||||||
|
|
||||||
|
$params = array(
|
||||||
|
'post' => self::$post_id,
|
||||||
|
'author_name' => 'Bleeding Gums Murphy',
|
||||||
|
'author_email' => 'murphy@gingivitis.com',
|
||||||
|
'author_url' => 'http://jazz.' . rand_long_str( 185 ) . '.com',
|
||||||
|
'content' => 'This isn\'t a saxophone. It\'s an umbrella.',
|
||||||
|
'date' => '1995-04-30T10:22:00',
|
||||||
|
);
|
||||||
|
$request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
|
||||||
|
|
||||||
|
$request->add_header( 'content-type', 'application/json' );
|
||||||
|
$request->set_body( wp_json_encode( $params ) );
|
||||||
|
$response = $this->server->dispatch( $request );
|
||||||
|
|
||||||
|
$this->assertErrorResponse( 'comment_author_url_column_length', $response, 400 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @ticket 38477
|
||||||
|
*/
|
||||||
|
public function test_create_comment_content_too_long() {
|
||||||
|
wp_set_current_user( 0 );
|
||||||
|
|
||||||
|
$params = array(
|
||||||
|
'post' => self::$post_id,
|
||||||
|
'author_name' => 'Bleeding Gums Murphy',
|
||||||
|
'author_email' => 'murphy@gingivitis.com',
|
||||||
|
'author_url' => 'http://jazz.gingivitis.com',
|
||||||
|
'content' => rand_long_str( 66525 ),
|
||||||
|
'date' => '1995-04-30T10:22:00',
|
||||||
|
);
|
||||||
|
$request = new WP_REST_Request( 'POST', '/wp/v2/comments' );
|
||||||
|
|
||||||
|
$request->add_header( 'content-type', 'application/json' );
|
||||||
|
$request->set_body( wp_json_encode( $params ) );
|
||||||
|
$response = $this->server->dispatch( $request );
|
||||||
|
|
||||||
|
$this->assertErrorResponse( 'comment_content_column_length', $response, 400 );
|
||||||
|
}
|
||||||
|
|
||||||
public function test_update_item() {
|
public function test_update_item() {
|
||||||
$post_id = $this->factory->post->create();
|
$post_id = $this->factory->post->create();
|
||||||
|
|
||||||
@ -1609,6 +1701,81 @@ class WP_Test_REST_Comments_Controller extends WP_Test_REST_Controller_Testcase
|
|||||||
$this->assertArrayHasKey( 'children', $response->get_links() );
|
$this->assertArrayHasKey( 'children', $response->get_links() );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @ticket 38477
|
||||||
|
*/
|
||||||
|
public function test_update_comment_author_name_too_long() {
|
||||||
|
wp_set_current_user( self::$admin_id );
|
||||||
|
|
||||||
|
$params = array(
|
||||||
|
'author_name' => rand_long_str( 246 ),
|
||||||
|
'content' => 'This isn\'t a saxophone. It\'s an umbrella.',
|
||||||
|
);
|
||||||
|
$request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) );
|
||||||
|
|
||||||
|
$request->add_header( 'content-type', 'application/json' );
|
||||||
|
$request->set_body( wp_json_encode( $params ) );
|
||||||
|
$response = $this->server->dispatch( $request );
|
||||||
|
|
||||||
|
$this->assertErrorResponse( 'comment_author_column_length', $response, 400 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @ticket 38477
|
||||||
|
*/
|
||||||
|
public function test_update_comment_author_email_too_long() {
|
||||||
|
wp_set_current_user( self::$admin_id );
|
||||||
|
|
||||||
|
$params = array(
|
||||||
|
'author_email' => 'murphy@' . rand_long_str( 190 ) . '.com',
|
||||||
|
'content' => 'This isn\'t a saxophone. It\'s an umbrella.',
|
||||||
|
);
|
||||||
|
$request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) );
|
||||||
|
|
||||||
|
$request->add_header( 'content-type', 'application/json' );
|
||||||
|
$request->set_body( wp_json_encode( $params ) );
|
||||||
|
$response = $this->server->dispatch( $request );
|
||||||
|
|
||||||
|
$this->assertErrorResponse( 'comment_author_email_column_length', $response, 400 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @ticket 38477
|
||||||
|
*/
|
||||||
|
public function test_update_comment_author_url_too_long() {
|
||||||
|
wp_set_current_user( self::$admin_id );
|
||||||
|
|
||||||
|
$params = array(
|
||||||
|
'author_url' => 'http://jazz.' . rand_long_str( 185 ) . '.com',
|
||||||
|
'content' => 'This isn\'t a saxophone. It\'s an umbrella.',
|
||||||
|
);
|
||||||
|
$request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) );
|
||||||
|
|
||||||
|
$request->add_header( 'content-type', 'application/json' );
|
||||||
|
$request->set_body( wp_json_encode( $params ) );
|
||||||
|
$response = $this->server->dispatch( $request );
|
||||||
|
|
||||||
|
$this->assertErrorResponse( 'comment_author_url_column_length', $response, 400 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @ticket 38477
|
||||||
|
*/
|
||||||
|
public function test_update_comment_content_too_long() {
|
||||||
|
wp_set_current_user( self::$admin_id );
|
||||||
|
|
||||||
|
$params = array(
|
||||||
|
'content' => rand_long_str( 66525 ),
|
||||||
|
);
|
||||||
|
$request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/comments/%d', self::$approved_id ) );
|
||||||
|
|
||||||
|
$request->add_header( 'content-type', 'application/json' );
|
||||||
|
$request->set_body( wp_json_encode( $params ) );
|
||||||
|
$response = $this->server->dispatch( $request );
|
||||||
|
|
||||||
|
$this->assertErrorResponse( 'comment_content_column_length', $response, 400 );
|
||||||
|
}
|
||||||
|
|
||||||
public function test_delete_item() {
|
public function test_delete_item() {
|
||||||
wp_set_current_user( self::$admin_id );
|
wp_set_current_user( self::$admin_id );
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user