More comment cookie sanitation.

git-svn-id: http://svn.automattic.com/wordpress/trunk@3577 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2006-02-28 09:49:06 +00:00
parent 6eadde74ac
commit 25c2dcac3c
5 changed files with 24 additions and 22 deletions

View File

@ -54,7 +54,7 @@ $comment = get_comment($comment_id);
if ( !$user->ID ) : if ( !$user->ID ) :
setcookie('comment_author_' . COOKIEHASH, $comment->comment_author, time() + 30000000, COOKIEPATH, COOKIE_DOMAIN); setcookie('comment_author_' . COOKIEHASH, $comment->comment_author, time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
setcookie('comment_author_email_' . COOKIEHASH, $comment->comment_author_email, time() + 30000000, COOKIEPATH, COOKIE_DOMAIN); setcookie('comment_author_email_' . COOKIEHASH, $comment->comment_author_email, time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
setcookie('comment_author_url_' . COOKIEHASH, clean_url($comment->$comment_author_url), time() + 30000000, COOKIEPATH, COOKIE_DOMAIN); setcookie('comment_author_url_' . COOKIEHASH, clean_url($comment->comment_author_url), time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
endif; endif;
$location = ( empty( $_POST['redirect_to'] ) ) ? get_permalink( $comment_post_ID ) : $_POST['redirect_to']; $location = ( empty( $_POST['redirect_to'] ) ) ? get_permalink( $comment_post_ID ) : $_POST['redirect_to'];

View File

@ -7,9 +7,25 @@ function comments_template( $file = '/comments.php' ) {
if ( is_single() || is_page() || $withcomments ) : if ( is_single() || is_page() || $withcomments ) :
$req = get_settings('require_name_email'); $req = get_settings('require_name_email');
$comment_author = isset($_COOKIE['comment_author_'.COOKIEHASH]) ? trim(stripslashes($_COOKIE['comment_author_'.COOKIEHASH])) : ''; $comment_author = '';
$comment_author_email = isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ? trim(stripslashes($_COOKIE['comment_author_email_'.COOKIEHASH])) : ''; if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) {
$comment_author_url = isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ? trim(stripslashes($_COOKIE['comment_author_url_'.COOKIEHASH])) : ''; $comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]);
$comment_author = stripslashes($comment_author);
$comment_author = wp_specialchars($comment_author, true);
}
$comment_author_email = '';
if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) {
$comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]);
$comment_author_email = stripslashes($comment_author_email);
$comment_author_email = wp_specialchars($comment_author_email, true);
}
$comment_author_url = '';
if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) {
$comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
$comment_author_url = stripslashes($comment_author_url);
$comment_author_url = wp_specialchars($comment_author_url, true);
}
if ( empty($comment_author) ) { if ( empty($comment_author) ) {
$comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND comment_approved = '1' ORDER BY comment_date"); $comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND comment_approved = '1' ORDER BY comment_date");
} else { } else {

View File

@ -24,10 +24,8 @@ add_filter('pre_comment_author_url', 'strip_tags');
add_filter('pre_comment_author_url', 'trim'); add_filter('pre_comment_author_url', 'trim');
add_filter('pre_comment_author_url', 'clean_url'); add_filter('pre_comment_author_url', 'clean_url');
add_filter('pre_comment_content', 'stripslashes', 1);
add_filter('pre_comment_content', 'wp_rel_nofollow', 15); add_filter('pre_comment_content', 'wp_rel_nofollow', 15);
add_filter('pre_comment_content', 'balanceTags', 30); add_filter('pre_comment_content', 'balanceTags', 30);
add_filter('pre_comment_content', 'addslashes', 50);
add_filter('pre_comment_author_name', 'wp_filter_kses'); add_filter('pre_comment_author_name', 'wp_filter_kses');
add_filter('pre_comment_author_email', 'wp_filter_kses'); add_filter('pre_comment_author_email', 'wp_filter_kses');

View File

@ -579,7 +579,11 @@ function make_clickable($ret) {
} }
function wp_rel_nofollow( $text ) { function wp_rel_nofollow( $text ) {
global $wpdb;
// This is a pre save filter, so text is already escaped.
$text = stripslashes($text);
$text = preg_replace('|<a (.+?)>|i', '<a $1 rel="nofollow">', $text); $text = preg_replace('|<a (.+?)>|i', '<a $1 rel="nofollow">', $text);
$text = $wpdb->escape($text);
return $text; return $text;
} }

View File

@ -531,14 +531,6 @@ function kses_init_filters() {
// Post filtering // Post filtering
add_filter('content_save_pre', 'wp_filter_post_kses'); add_filter('content_save_pre', 'wp_filter_post_kses');
// Strip all html.
add_filter('pre_comment_author_name', 'wp_filter_nohtml_kses');
add_filter('pre_comment_author_url', 'wp_filter_nohtml_kses');
add_filter('pre_comment_author_email', 'wp_filter_nohtml_kses');
add_filter('pre_comment_user_ip', 'wp_filter_nohtml_kses');
add_filter('pre_comment_user_agent', 'wp_filter_nohtml_kses');
add_filter('pre_user_id', 'wp_filter_nohtml_kses');
} }
function kses_remove_filters() { function kses_remove_filters() {
@ -548,14 +540,6 @@ function kses_remove_filters() {
// Post filtering // Post filtering
remove_filter('content_save_pre', 'wp_filter_post_kses'); remove_filter('content_save_pre', 'wp_filter_post_kses');
// Strip all html.
remove_filter('pre_comment_author_name', 'wp_filter_nohtml_kses');
remove_filter('pre_comment_author_url', 'wp_filter_nohtml_kses');
remove_filter('pre_comment_author_email', 'wp_filter_nohtml_kses');
remove_filter('pre_comment_user_ip', 'wp_filter_nohtml_kses');
remove_filter('pre_comment_user_agent', 'wp_filter_nohtml_kses');
remove_filter('pre_user_id', 'wp_filter_nohtml_kses');
} }
function kses_init() { function kses_init() {