Comments: Use `wp_strip_all_tags()` to strip HTML tags.

`wp_kses()` should only be used if you have a whitelist. Props rachelbaker. Fixes #37208. git-svn-id: https://develop.svn.wordpress.org/trunk@38092 602fd350-edb4-49c9-b593-d223f7449a82
2016-07-18 14:03:04 +00:00 · 2016-07-18 14:03:04 +00:00 · cbbba23530
parent 5b6ab5a596
commit cbbba23530
1 changed files with 1 additions and 1 deletions
--- a/src/wp-includes/comment.php
+++ b/src/wp-includes/comment.php
@ -1057,7 +1057,7 @@ function wp_blacklist_check($author, $email, $url, $comment, $user_ip, $user_age
 		return false; // If moderation keys are empty

 	// Ensure HTML tags are not being used to bypass the blacklist.
-	$comment_without_html = wp_kses( $comment, array() );
+	$comment_without_html = wp_strip_all_tags( $comment );

 	$words = explode("\n", $mod_keys );