Comments: Strip html tags from comment content before blacklist_keys comparison.
Use `wp_kses()` to clean comment_content for preg_match against the blacklist_keys. Also includes some initial unit tests for `wp_blacklist_check()`. Previously, if a blacklisted key was used in comment_content split by an html tag the regex in `wp_blacklist_check()` would not find a match. Example: Where "springfield" was a blacklisted word, if the content of a comment included `spring<i>field</i>" `wp_blacklist_check()` would not return true. Props cfinke. Fixes #37208. git-svn-id: https://develop.svn.wordpress.org/trunk@38047 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
parent
e332cfbed8
commit
d6eac6593c
@ -1055,6 +1055,10 @@ function wp_blacklist_check($author, $email, $url, $comment, $user_ip, $user_age
|
|||||||
$mod_keys = trim( get_option('blacklist_keys') );
|
$mod_keys = trim( get_option('blacklist_keys') );
|
||||||
if ( '' == $mod_keys )
|
if ( '' == $mod_keys )
|
||||||
return false; // If moderation keys are empty
|
return false; // If moderation keys are empty
|
||||||
|
|
||||||
|
// Ensure HTML tags are not being used to bypass the blacklist.
|
||||||
|
$comment_without_html = wp_kses( $comment, array() );
|
||||||
|
|
||||||
$words = explode("\n", $mod_keys );
|
$words = explode("\n", $mod_keys );
|
||||||
|
|
||||||
foreach ( (array) $words as $word ) {
|
foreach ( (array) $words as $word ) {
|
||||||
@ -1072,7 +1076,7 @@ function wp_blacklist_check($author, $email, $url, $comment, $user_ip, $user_age
|
|||||||
preg_match($pattern, $author)
|
preg_match($pattern, $author)
|
||||||
|| preg_match($pattern, $email)
|
|| preg_match($pattern, $email)
|
||||||
|| preg_match($pattern, $url)
|
|| preg_match($pattern, $url)
|
||||||
|| preg_match($pattern, $comment)
|
|| preg_match($pattern, $comment_without_html)
|
||||||
|| preg_match($pattern, $user_ip)
|
|| preg_match($pattern, $user_ip)
|
||||||
|| preg_match($pattern, $user_agent)
|
|| preg_match($pattern, $user_agent)
|
||||||
)
|
)
|
||||||
|
82
tests/phpunit/tests/comment/wpBlacklistCheck.php
Normal file
82
tests/phpunit/tests/comment/wpBlacklistCheck.php
Normal file
@ -0,0 +1,82 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @group comment
|
||||||
|
*/
|
||||||
|
class Tests_WP_Blacklist_Check extends WP_UnitTestCase {
|
||||||
|
|
||||||
|
public function test_should_return_true_when_content_matches_blacklist_keys() {
|
||||||
|
$author = 'Sting';
|
||||||
|
$author_email = 'sting@example.com';
|
||||||
|
$author_url = 'http://example.com';
|
||||||
|
$comment = "There's a hole in my heart. As deep as a well. For that poor little boy. Who's stuck halfway to Hell.";
|
||||||
|
$author_ip = '192.168.0.1';
|
||||||
|
$user_agent = '';
|
||||||
|
|
||||||
|
update_option( 'blacklist_keys',"well\nfoo" );
|
||||||
|
|
||||||
|
$result = wp_blacklist_check( $author, $author_email, $author_url, $comment, $author_ip, $user_agent );
|
||||||
|
|
||||||
|
$this->assertTrue( $result );
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_should_return_true_when_content_with_html_matches_blacklist_keys() {
|
||||||
|
$author = 'Sting';
|
||||||
|
$author_email = 'sting@example.com';
|
||||||
|
$author_url = 'http://example.com';
|
||||||
|
$comment = "There's a hole in my heart. As deep as a well. For that poor little boy. Who's stuck <b>half</b>way to Hell.";
|
||||||
|
$author_ip = '192.168.0.1';
|
||||||
|
$user_agent = '';
|
||||||
|
|
||||||
|
update_option( 'blacklist_keys',"halfway\nfoo" );
|
||||||
|
|
||||||
|
$result = wp_blacklist_check( $author, $author_email, $author_url, $comment, $author_ip, $user_agent );
|
||||||
|
|
||||||
|
$this->assertTrue( $result );
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_should_return_true_when_author_matches_blacklist_keys() {
|
||||||
|
$author = 'Sideshow Mel';
|
||||||
|
$author_email = 'mel@example.com';
|
||||||
|
$author_url = 'http://example.com';
|
||||||
|
$comment = "Though we can't get him out. We'll do the next best thing.";
|
||||||
|
$author_ip = '192.168.0.1';
|
||||||
|
$user_agent = '';
|
||||||
|
|
||||||
|
update_option( 'blacklist_keys',"sideshow\nfoo" );
|
||||||
|
|
||||||
|
$result = wp_blacklist_check( $author, $author_email, $author_url, $comment, $author_ip, $user_agent );
|
||||||
|
|
||||||
|
$this->assertTrue( $result );
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_should_return_true_when_url_matches_blacklist_keys() {
|
||||||
|
$author = 'Rainier Wolfcastle';
|
||||||
|
$author_email = 'rainier@wolfcastle.com';
|
||||||
|
$author_url = 'http://example.com';
|
||||||
|
$comment = 'We go on TV and sing, sing, sing.';
|
||||||
|
$author_ip = '192.168.0.1';
|
||||||
|
$user_agent = '';
|
||||||
|
|
||||||
|
update_option( 'blacklist_keys',"example\nfoo" );
|
||||||
|
|
||||||
|
$result = wp_blacklist_check( $author, $author_email, $author_url, $comment, $author_ip, $user_agent );
|
||||||
|
|
||||||
|
$this->assertTrue( $result );
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_should_return_false_when_no_match() {
|
||||||
|
$author = 'Krusty the Clown';
|
||||||
|
$author_email = 'krusty@example.com';
|
||||||
|
$author_url = 'http://example.com';
|
||||||
|
$comment = "And we're sending our love down the well.";
|
||||||
|
$author_ip = '192.168.0.1';
|
||||||
|
$user_agent = '';
|
||||||
|
|
||||||
|
update_option( 'blacklist_keys',"sideshow\nfoobar" );
|
||||||
|
|
||||||
|
$result = wp_blacklist_check( $author, $author_email, $author_url, $comment, $author_ip, $user_agent );
|
||||||
|
|
||||||
|
$this->assertFalse( $result );
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user