From 4fb60ce69023d67a957a667cdf91e757a9617714 Mon Sep 17 00:00:00 2001 From: ryan Date: Wed, 1 Mar 2006 21:17:34 +0000 Subject: [PATCH] Sanitize comment coookies. git-svn-id: http://svn.automattic.com/wordpress/branches/2.0@3584 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-comments-post.php | 11 ++++++----- wp-includes/comment-functions.php | 22 +++++++++++++++++++--- 2 files changed, 25 insertions(+), 8 deletions(-) diff --git a/wp-comments-post.php b/wp-comments-post.php index e0d95a4055..953de6848b 100644 --- a/wp-comments-post.php +++ b/wp-comments-post.php @@ -48,16 +48,17 @@ if ( '' == $comment_content ) $commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_email', 'comment_author_url', 'comment_content', 'comment_type', 'user_ID'); -wp_new_comment( $commentdata ); +$comment_id = wp_new_comment( $commentdata ); if ( !$user_ID ) : - setcookie('comment_author_' . COOKIEHASH, stripslashes($comment_author), time() + 30000000, COOKIEPATH, COOKIE_DOMAIN); - setcookie('comment_author_email_' . COOKIEHASH, stripslashes($comment_author_email), time() + 30000000, COOKIEPATH, COOKIE_DOMAIN); - setcookie('comment_author_url_' . COOKIEHASH, stripslashes($comment_author_url), time() + 30000000, COOKIEPATH, COOKIE_DOMAIN); + $comment = get_comment($comment_id); + setcookie('comment_author_' . COOKIEHASH, $comment->comment_author, time() + 30000000, COOKIEPATH, COOKIE_DOMAIN); + setcookie('comment_author_email_' . COOKIEHASH, $comment->comment_author_email, time() + 30000000, COOKIEPATH, COOKIE_DOMAIN); + setcookie('comment_author_url_' . COOKIEHASH, clean_url($comment->comment_author_url), time() + 30000000, COOKIEPATH, COOKIE_DOMAIN); endif; $location = ( empty( $_POST['redirect_to'] ) ) ? get_permalink( $comment_post_ID ) : $_POST['redirect_to']; wp_redirect( $location ); -?> \ No newline at end of file +?> diff --git a/wp-includes/comment-functions.php b/wp-includes/comment-functions.php index 8b9c30e5af..eed5a611cf 100644 --- a/wp-includes/comment-functions.php +++ b/wp-includes/comment-functions.php @@ -7,9 +7,25 @@ function comments_template( $file = '/comments.php' ) { if ( is_single() || is_page() || $withcomments ) : $req = get_settings('require_name_email'); - $comment_author = isset($_COOKIE['comment_author_'.COOKIEHASH]) ? trim(stripslashes($_COOKIE['comment_author_'.COOKIEHASH])) : ''; - $comment_author_email = isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ? trim(stripslashes($_COOKIE['comment_author_email_'.COOKIEHASH])) : ''; - $comment_author_url = isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ? trim(stripslashes($_COOKIE['comment_author_url_'.COOKIEHASH])) : ''; + $comment_author = ''; + if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) { + $comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]); + $comment_author = stripslashes($comment_author); + $comment_author = wp_specialchars($comment_author, true); + } + $comment_author_email = ''; + if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) { + $comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]); + $comment_author_email = stripslashes($comment_author_email); + $comment_author_email = wp_specialchars($comment_author_email, true); + } + $comment_author_url = ''; + if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) { + $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]); + $comment_author_url = stripslashes($comment_author_url); + $comment_author_url = wp_specialchars($comment_author_url, true); + } + if ( empty($comment_author) ) { $comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND comment_approved = '1' ORDER BY comment_date"); } else {