From 4318418b39a049ce2bb59947fda2a372e8ff9610 Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Mon, 21 Oct 2024 23:07:15 +0000 Subject: [PATCH] Comments: Validate new comments before and after comment data is filtered. This ensures that a Disallowed Comment Keys match will consistently send the comment to the Trash, by checking both the original unmodified comment data and the final filtered comment data. If the first check has already resulted in a `trash` or `spam` status, the second check is skipped as redundant. Follow-up to [2894], [3851], [48121], [48575]. Props cfinke, kbrownkd, thompsonsj, mi5t4n, devspace, chaion07, engahmeds3ed, SergeyBiryukov. Fixes #61827. Built from https://develop.svn.wordpress.org/trunk@59267 git-svn-id: http://core.svn.wordpress.org/trunk@58659 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/comment.php | 7 ++++++- wp-includes/version.php | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/wp-includes/comment.php b/wp-includes/comment.php index b14e49d117..d1dacf243e 100644 --- a/wp-includes/comment.php +++ b/wp-includes/comment.php @@ -2277,9 +2277,14 @@ function wp_new_comment( $commentdata, $wp_error = false ) { $commentdata['comment_type'] = 'comment'; } + $commentdata['comment_approved'] = wp_allow_comment( $commentdata, $wp_error ); + $commentdata = wp_filter_comment( $commentdata ); - $commentdata['comment_approved'] = wp_allow_comment( $commentdata, $wp_error ); + if ( ! in_array( $commentdata['comment_approved'], array( 'trash', 'spam' ), true ) ) { + // Validate the comment again after filters are applied to comment data. + $commentdata['comment_approved'] = wp_allow_comment( $commentdata, $wp_error ); + } if ( is_wp_error( $commentdata['comment_approved'] ) ) { return $commentdata['comment_approved']; diff --git a/wp-includes/version.php b/wp-includes/version.php index 5082967083..976313b307 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.7-beta3-59266'; +$wp_version = '6.7-beta3-59267'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.