Changeset 3577

Timestamp:

02/28/2006 09:49:06 AM (19 years ago)

Author:

ryan

Message:

More comment cookie sanitation.

Location:

trunk

Files:

• wp-comments-post.php (modified) (1 diff)
• wp-includes/comment-functions.php (modified) (1 diff)
• wp-includes/default-filters.php (modified) (1 diff)
• wp-includes/functions-formatting.php (modified) (1 diff)
• wp-includes/kses.php (modified) (2 diffs)

trunk/wp-comments-post.php ¶

@@ -55 +55 @@
     setcookie('comment_author_' . COOKIEHASH, $comment->comment_author, time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
     setcookie('comment_author_email_' . COOKIEHASH, $comment->comment_author_email, time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
-    setcookie('comment_author_url_' . COOKIEHASH, clean_url($comment->$comment_author_url), time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
+    setcookie('comment_author_url_' . COOKIEHASH, clean_url($comment->comment_author_url), time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
 endif;
 

trunk/wp-includes/comment-functions.php ¶

@@ -8 +8 @@
     if ( is_single() || is_page() || $withcomments ) :
         $req = get_settings('require_name_email');
-        $comment_author = isset($_COOKIE['comment_author_'.COOKIEHASH]) ? trim(stripslashes($_COOKIE['comment_author_'.COOKIEHASH])) : '';
-        $comment_author_email = isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ? trim(stripslashes($_COOKIE['comment_author_email_'.COOKIEHASH])) : '';
-        $comment_author_url = isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ? trim(stripslashes($_COOKIE['comment_author_url_'.COOKIEHASH])) : '';
+        $comment_author = '';
+        if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) {
+            $comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]);
+            $comment_author = stripslashes($comment_author);
+            $comment_author = wp_specialchars($comment_author, true);
+        }
+        $comment_author_email = '';
+        if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) {
+            $comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]);
+            $comment_author_email = stripslashes($comment_author_email);
+            $comment_author_email = wp_specialchars($comment_author_email, true);       
+        }
+        $comment_author_url = '';
+        if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) {
+            $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
+            $comment_author_url = stripslashes($comment_author_url);
+            $comment_author_url = wp_specialchars($comment_author_url, true);       
+        }
+
     if ( empty($comment_author) ) {
         $comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND comment_approved = '1' ORDER BY comment_date");

trunk/wp-includes/default-filters.php ¶

@@ -25 +25 @@
 add_filter('pre_comment_author_url', 'clean_url');
 
-add_filter('pre_comment_content', 'stripslashes', 1);
 add_filter('pre_comment_content', 'wp_rel_nofollow', 15);
 add_filter('pre_comment_content', 'balanceTags', 30);
-add_filter('pre_comment_content', 'addslashes', 50);
 
 add_filter('pre_comment_author_name', 'wp_filter_kses');

trunk/wp-includes/functions-formatting.php ¶

@@ -580 +580 @@
 
 function wp_rel_nofollow( $text ) {
+    global $wpdb;
+    // This is a pre save filter, so text is already escaped.
+    $text = stripslashes($text);
     $text = preg_replace('|<a (.+?)>|i', '<a $1 rel="nofollow">', $text);
+    $text = $wpdb->escape($text);
     return $text;
 }

trunk/wp-includes/kses.php ¶

@@ -532 +532 @@
     // Post filtering
     add_filter('content_save_pre', 'wp_filter_post_kses');
-
-    // Strip all html.
-    add_filter('pre_comment_author_name', 'wp_filter_nohtml_kses');
-    add_filter('pre_comment_author_url', 'wp_filter_nohtml_kses');
-    add_filter('pre_comment_author_email', 'wp_filter_nohtml_kses');
-    add_filter('pre_comment_user_ip', 'wp_filter_nohtml_kses');
-    add_filter('pre_comment_user_agent', 'wp_filter_nohtml_kses');
-    add_filter('pre_user_id', 'wp_filter_nohtml_kses');
 }
 
@@ -549 +541 @@
     // Post filtering
     remove_filter('content_save_pre', 'wp_filter_post_kses');
-
-    // Strip all html.
-    remove_filter('pre_comment_author_name', 'wp_filter_nohtml_kses');
-    remove_filter('pre_comment_author_url', 'wp_filter_nohtml_kses');
-    remove_filter('pre_comment_author_email', 'wp_filter_nohtml_kses');
-    remove_filter('pre_comment_user_ip', 'wp_filter_nohtml_kses');
-    remove_filter('pre_comment_user_agent', 'wp_filter_nohtml_kses');
-    remove_filter('pre_user_id', 'wp_filter_nohtml_kses');
 }