More comment cookie sanitation.
git-svn-id: http://svn.automattic.com/wordpress/trunk@3577 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
6eadde74ac
commit
25c2dcac3c
|
@ -54,7 +54,7 @@ $comment = get_comment($comment_id);
|
|||
if ( !$user->ID ) :
|
||||
setcookie('comment_author_' . COOKIEHASH, $comment->comment_author, time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
|
||||
setcookie('comment_author_email_' . COOKIEHASH, $comment->comment_author_email, time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
|
||||
setcookie('comment_author_url_' . COOKIEHASH, clean_url($comment->$comment_author_url), time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
|
||||
setcookie('comment_author_url_' . COOKIEHASH, clean_url($comment->comment_author_url), time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
|
||||
endif;
|
||||
|
||||
$location = ( empty( $_POST['redirect_to'] ) ) ? get_permalink( $comment_post_ID ) : $_POST['redirect_to'];
|
||||
|
|
|
@ -7,9 +7,25 @@ function comments_template( $file = '/comments.php' ) {
|
|||
|
||||
if ( is_single() || is_page() || $withcomments ) :
|
||||
$req = get_settings('require_name_email');
|
||||
$comment_author = isset($_COOKIE['comment_author_'.COOKIEHASH]) ? trim(stripslashes($_COOKIE['comment_author_'.COOKIEHASH])) : '';
|
||||
$comment_author_email = isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ? trim(stripslashes($_COOKIE['comment_author_email_'.COOKIEHASH])) : '';
|
||||
$comment_author_url = isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ? trim(stripslashes($_COOKIE['comment_author_url_'.COOKIEHASH])) : '';
|
||||
$comment_author = '';
|
||||
if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) {
|
||||
$comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]);
|
||||
$comment_author = stripslashes($comment_author);
|
||||
$comment_author = wp_specialchars($comment_author, true);
|
||||
}
|
||||
$comment_author_email = '';
|
||||
if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) {
|
||||
$comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]);
|
||||
$comment_author_email = stripslashes($comment_author_email);
|
||||
$comment_author_email = wp_specialchars($comment_author_email, true);
|
||||
}
|
||||
$comment_author_url = '';
|
||||
if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) {
|
||||
$comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
|
||||
$comment_author_url = stripslashes($comment_author_url);
|
||||
$comment_author_url = wp_specialchars($comment_author_url, true);
|
||||
}
|
||||
|
||||
if ( empty($comment_author) ) {
|
||||
$comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND comment_approved = '1' ORDER BY comment_date");
|
||||
} else {
|
||||
|
|
|
@ -24,10 +24,8 @@ add_filter('pre_comment_author_url', 'strip_tags');
|
|||
add_filter('pre_comment_author_url', 'trim');
|
||||
add_filter('pre_comment_author_url', 'clean_url');
|
||||
|
||||
add_filter('pre_comment_content', 'stripslashes', 1);
|
||||
add_filter('pre_comment_content', 'wp_rel_nofollow', 15);
|
||||
add_filter('pre_comment_content', 'balanceTags', 30);
|
||||
add_filter('pre_comment_content', 'addslashes', 50);
|
||||
|
||||
add_filter('pre_comment_author_name', 'wp_filter_kses');
|
||||
add_filter('pre_comment_author_email', 'wp_filter_kses');
|
||||
|
|
|
@ -579,7 +579,11 @@ function make_clickable($ret) {
|
|||
}
|
||||
|
||||
function wp_rel_nofollow( $text ) {
|
||||
global $wpdb;
|
||||
// This is a pre save filter, so text is already escaped.
|
||||
$text = stripslashes($text);
|
||||
$text = preg_replace('|<a (.+?)>|i', '<a $1 rel="nofollow">', $text);
|
||||
$text = $wpdb->escape($text);
|
||||
return $text;
|
||||
}
|
||||
|
||||
|
|
|
@ -531,14 +531,6 @@ function kses_init_filters() {
|
|||
|
||||
// Post filtering
|
||||
add_filter('content_save_pre', 'wp_filter_post_kses');
|
||||
|
||||
// Strip all html.
|
||||
add_filter('pre_comment_author_name', 'wp_filter_nohtml_kses');
|
||||
add_filter('pre_comment_author_url', 'wp_filter_nohtml_kses');
|
||||
add_filter('pre_comment_author_email', 'wp_filter_nohtml_kses');
|
||||
add_filter('pre_comment_user_ip', 'wp_filter_nohtml_kses');
|
||||
add_filter('pre_comment_user_agent', 'wp_filter_nohtml_kses');
|
||||
add_filter('pre_user_id', 'wp_filter_nohtml_kses');
|
||||
}
|
||||
|
||||
function kses_remove_filters() {
|
||||
|
@ -548,14 +540,6 @@ function kses_remove_filters() {
|
|||
|
||||
// Post filtering
|
||||
remove_filter('content_save_pre', 'wp_filter_post_kses');
|
||||
|
||||
// Strip all html.
|
||||
remove_filter('pre_comment_author_name', 'wp_filter_nohtml_kses');
|
||||
remove_filter('pre_comment_author_url', 'wp_filter_nohtml_kses');
|
||||
remove_filter('pre_comment_author_email', 'wp_filter_nohtml_kses');
|
||||
remove_filter('pre_comment_user_ip', 'wp_filter_nohtml_kses');
|
||||
remove_filter('pre_comment_user_agent', 'wp_filter_nohtml_kses');
|
||||
remove_filter('pre_user_id', 'wp_filter_nohtml_kses');
|
||||
}
|
||||
|
||||
function kses_init() {
|
||||
|
|
Loading…
Reference in New Issue