Ticket #2714 (closed defect: fixed)

Opened 2 years ago

Last modified 2 years ago

comments with HTML can wreck Moderation Queue window

Reported by: DjLizard Assigned to: markjaquith
Priority: normal Milestone: 2.0.6
Component: Administration Version: 2.0.2
Severity: normal Keywords: html moderation queue comment bg|has-patch
Cc:

Description

I keep getting comment spam which is causing some havoc in the moderate comments menu. The spammer, for whatever reason, is simply posting the following: 

Allowed HTML: <a href="" title="" rel="" rel="nofollow"> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> 
<code> <div align=""> <em> <font color="" size="" face=""> <i> <li> <ol> <strike> <strong> <sub> <sup>
<ul>

I don't know why the spammer is just pasting crap off of my page (no Viagra ads, etc). The second spam (from the same person) simply said "nbnbbnmmhmhgjf", so I don't really get the point of the spam. Anyway, the first one messes up the moderation Queue window, to where nothing can be clicked, because it is all one giant hyperlinked, strikethrough'd element. I have to delete the comment via MySQL (hard), or by clicking the delete hyperlink in the "Please moderate:" email I recieve when there's a new comment (easier). I can probably fix the Moderation Queue page myself so that it doesn't allow this kind of attack, but I just wanted to let the Wordpress devs know about it because this is the third time I've gotten this spam in a span of 6 months.

Attachments

2714.diff (0.9 kB) - added by Nazgul on 06/16/06 00:26:34.
2714b.diff (0.9 kB) - added by Nazgul on 07/04/06 22:05:58.

Change History

05/11/06 08:21:23 changed by markjaquith

  • owner changed from anonymous to markjaquith.
  • status changed from new to assigned.
  • milestone set to 2.1.

I've gotten this too. We should force comments to be run through the filter that closes open tags, at least in the admin.

06/16/06 00:26:01 changed by Nazgul

  • keywords changed from html, moderation queue, comment to html moderation queue comment bg|has-patch.

I got tired of dealing with this type of spam, so I coded a small fix and hope it's of use to somebody else as well.

Also, could somebody tell me what the $is_comment argument in the balanceTags function is used for? It isn't used in the function itself and none of the calling functions pass it in. Can't it be removed?

06/16/06 00:26:34 changed by Nazgul

  • attachment 2714.diff added.

06/19/06 23:36:36 changed by markjaquith

+1 from me

06/24/06 22:31:51 changed by robmiller

+1 from me too.

07/04/06 22:05:58 changed by Nazgul

  • attachment 2714b.diff added.

07/04/06 22:07:31 changed by Nazgul

New patch, which uses the naming convention suggested by Ryan.

07/04/06 22:09:45 changed by ryan

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [3963]) Force balanced tags in comments. Props Nazgul. fixes #2714

07/04/06 22:10:34 changed by ryan

(In [3964]) Force balanced tags in comments. Props Nazgul. fixes #2714

07/04/06 22:11:15 changed by ryan

  • milestone changed from 2.1 to 2.0.4.

11/30/06 19:41:50 changed by

  • milestone deleted.

Milestone 2.0.4 deleted

12/23/06 06:02:58 changed by markjaquith

  • status changed from closed to reopened.
  • resolution deleted.
  • milestone set to 2.0.6.

This is fixed in 2.1 but NOT in 2.0.x [3964] didn't quite do the trick.

Also, Nazgul is right... $is_comment is not used, so I'm going to remove it.

12/23/06 06:15:16 changed by markjaquith

(In [4662]) Remove unused is_comment param in balanceTags() relates to #2714

12/23/06 06:33:26 changed by markjaquith

  • status changed from reopened to closed.
  • resolution set to fixed.

(In [4663]) Sync balanceTags() and force_balance_tags() to trunk. fixes #2714