From 179e9f20b6d044af5b20a473c840b6a29ec9e123 Mon Sep 17 00:00:00 2001 From: Rachel Baker Date: Fri, 2 Dec 2016 22:44:42 +0000 Subject: [PATCH] REST API: Fix bug where comment author and author email could be an empty string when creating a comment. If the `require_name_email` option is true, creating a comment with an empty string for the author name or email should not be accepted. Both values can be an empty string on update. Props flixos90, hnle, dd32, rachelbaker, jnylen0, ChopinBach, joehoyle, pento. Fixes #38971. Built from https://develop.svn.wordpress.org/trunk@39444 git-svn-id: http://core.svn.wordpress.org/trunk@39384 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- .../class-wp-rest-comments-controller.php | 43 +++++++++++++++---- wp-includes/version.php | 2 +- 2 files changed, 35 insertions(+), 10 deletions(-) diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php index b07ced4458..9fe4f90e52 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php @@ -508,17 +508,9 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { // Honor the discussion setting that requires a name and email address of the comment author. if ( get_option( 'require_name_email' ) ) { - if ( ! isset( $prepared_comment['comment_author'] ) && ! isset( $prepared_comment['comment_author_email'] ) ) { + if ( empty( $prepared_comment['comment_author'] ) || empty( $prepared_comment['comment_author_email'] ) ) { return new WP_Error( 'rest_comment_author_data_required', __( 'Creating a comment requires valid author name and email values.' ), array( 'status' => 400 ) ); } - - if ( ! isset( $prepared_comment['comment_author'] ) ) { - return new WP_Error( 'rest_comment_author_required', __( 'Creating a comment requires a valid author name.' ), array( 'status' => 400 ) ); - } - - if ( ! isset( $prepared_comment['comment_author_email'] ) ) { - return new WP_Error( 'rest_comment_author_email_required', __( 'Creating a comment requires a valid author email.' ), array( 'status' => 400 ) ); - } } if ( ! isset( $prepared_comment['comment_author_email'] ) ) { @@ -1155,6 +1147,10 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { 'type' => 'string', 'format' => 'email', 'context' => array( 'edit' ), + 'arg_options' => array( + 'sanitize_callback' => array( $this, 'check_comment_author_email' ), + 'validate_callback' => null, // skip built-in validation of 'email'. + ), ), 'author_ip' => array( 'description' => __( 'IP address for the object author.' ), @@ -1581,4 +1577,33 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { return current_user_can( 'edit_comment', $comment->comment_ID ); } + + /** + * Checks a comment author email for validity. + * + * Accepts either a valid email address or empty string as a valid comment + * author email address. Setting the comment author email to an empty + * string is allowed when a comment is being updated. + * + * @since 4.7.0 + * + * @param string $value Author email value submitted. + * @param WP_REST_Request $request Full details about the request. + * @param string $param The parameter name. + * @return WP_Error|string The sanitized email address, if valid, + * otherwise an error. + */ + public function check_comment_author_email( $value, $request, $param ) { + $email = (string) $value; + if ( empty( $email ) ) { + return $email; + } + + $check_email = rest_validate_request_arg( $email, $request, $param ); + if ( is_wp_error( $check_email ) ) { + return $check_email; + } + + return $email; + } } diff --git a/wp-includes/version.php b/wp-includes/version.php index 04c1ec1cb6..3caae80309 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.8-alpha-39443'; +$wp_version = '4.8-alpha-39444'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.