From 87e7b4455d98dc57f227f7f86e7884fdb00ea8b8 Mon Sep 17 00:00:00 2001
From: Rachel Baker <rachel@rachelbaker.me>
Date: Wed, 13 Jan 2016 01:25:26 +0000
Subject: [PATCH] Comments: Restrict the maximum characters for input fields
 within the comments template.

Added hardcoded maxlength attributes on the author, author_email, author_url, and comment_field input markup. These can be modified via the comment_form_defaults filter. Added logic in wp_handle_comment_submission() to return a WP_Error when the comment_author, comment_author_url, or comment_content values exceed the max length of their columns. Introduces wp_get_comment_column_max_length() which returns the max column length for a given column name, and is filterable. Unit tests included for the error conditions in wp_handle_comment_submission()

Fixes #10377.

Props westonruter rachelbaker.

Built from https://develop.svn.wordpress.org/trunk@36272


git-svn-id: http://core.svn.wordpress.org/trunk@36239 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/comment-template.php |  8 ++---
 wp-includes/comment.php          | 51 ++++++++++++++++++++++++++++++++
 wp-includes/version.php          |  2 +-
 3 files changed, 56 insertions(+), 5 deletions(-)

diff --git a/wp-includes/comment-template.php b/wp-includes/comment-template.php
index e1dbd241ef..523422e7df 100644
--- a/wp-includes/comment-template.php
+++ b/wp-includes/comment-template.php
@@ -2099,11 +2099,11 @@ function comment_form( $args = array(), $post_id = null ) {
 	$html5    = 'html5' === $args['format'];
 	$fields   =  array(
 		'author' => '<p class="comment-form-author">' . '<label for="author">' . __( 'Name' ) . ( $req ? ' <span class="required">*</span>' : '' ) . '</label> ' .
-		            '<input id="author" name="author" type="text" value="' . esc_attr( $commenter['comment_author'] ) . '" size="30"' . $aria_req . $html_req . ' /></p>',
+		            '<input id="author" name="author" type="text" value="' . esc_attr( $commenter['comment_author'] ) . '" size="30" maxlength="245"' . $aria_req . $html_req . ' /></p>',
 		'email'  => '<p class="comment-form-email"><label for="email">' . __( 'Email' ) . ( $req ? ' <span class="required">*</span>' : '' ) . '</label> ' .
-		            '<input id="email" name="email" ' . ( $html5 ? 'type="email"' : 'type="text"' ) . ' value="' . esc_attr(  $commenter['comment_author_email'] ) . '" size="30" aria-describedby="email-notes"' . $aria_req . $html_req  . ' /></p>',
+		            '<input id="email" name="email" ' . ( $html5 ? 'type="email"' : 'type="text"' ) . ' value="' . esc_attr(  $commenter['comment_author_email'] ) . '" size="30" maxlength="100" aria-describedby="email-notes"' . $aria_req . $html_req  . ' /></p>',
 		'url'    => '<p class="comment-form-url"><label for="url">' . __( 'Website' ) . '</label> ' .
-		            '<input id="url" name="url" ' . ( $html5 ? 'type="url"' : 'type="text"' ) . ' value="' . esc_attr( $commenter['comment_author_url'] ) . '" size="30" /></p>',
+		            '<input id="url" name="url" ' . ( $html5 ? 'type="url"' : 'type="text"' ) . ' value="' . esc_attr( $commenter['comment_author_url'] ) . '" size="30" maxlength="200" /></p>',
 	);
 
 	$required_text = sprintf( ' ' . __('Required fields are marked %s'), '<span class="required">*</span>' );
@@ -2118,7 +2118,7 @@ function comment_form( $args = array(), $post_id = null ) {
 	$fields = apply_filters( 'comment_form_default_fields', $fields );
 	$defaults = array(
 		'fields'               => $fields,
-		'comment_field'        => '<p class="comment-form-comment"><label for="comment">' . _x( 'Comment', 'noun' ) . '</label> <textarea id="comment" name="comment" cols="45" rows="8"  aria-required="true" required="required"></textarea></p>',
+		'comment_field'        => '<p class="comment-form-comment"><label for="comment">' . _x( 'Comment', 'noun' ) . '</label> <textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" aria-required="true" required="required"></textarea></p>',
 		/** This filter is documented in wp-includes/link-template.php */
 		'must_log_in'          => '<p class="must-log-in">' . sprintf( __( 'You must be <a href="%s">logged in</a> to post a comment.' ), wp_login_url( apply_filters( 'the_permalink', get_permalink( $post_id ) ) ) ) . '</p>',
 		/** This filter is documented in wp-includes/link-template.php */
diff --git a/wp-includes/comment.php b/wp-includes/comment.php
index 41c586c60f..b9d084c997 100644
--- a/wp-includes/comment.php
+++ b/wp-includes/comment.php
@@ -947,6 +947,43 @@ function get_page_of_comment( $comment_ID, $args = array() ) {
 	return apply_filters( 'get_page_of_comment', (int) $page, $args, $original_args );
 }
 
+/**
+ * Calculate the maximum character length of a column from the comments table.
+ *
+ * @since 4.5.0
+ *
+ * @global wpdb $wpdb WordPress database abstraction object.
+ *
+ * @param string $column Name of a column in the comments table.
+ * @return int Maximum column character length.
+ */
+function wp_get_comment_column_max_length( $column ) {
+	global $wpdb;
+
+	$col_length = $wpdb->get_col_length( $wpdb->comments, $column );
+	if ( ! is_array( $col_length ) && (int) $col_length > 0 ) {
+		$max_length = (int) $col_length;
+	} elseif ( is_array( $col_length ) && isset( $col_length['length'] ) && intval( $col_length['length'] ) > 0 ) {
+		$max_length = (int) $col_length['length'];
+	} else {
+		$max_length = 255;
+	}
+
+	if ( ! empty( $col_length['type'] ) && 'byte' === $col_length['type'] ) {
+		$max_length = $max_length - 10;
+	}
+
+	/**
+	 * Filters the calculated length for a given column of the comments table.
+	 *
+	 * @since 4.5.0
+	 *
+	 * @param int    $max_length Maximum column character length.
+	 * @param string $column     Column name.
+	 */
+	return apply_filters( 'wp_get_comment_column_max_length', $max_length, $column );
+}
+
 /**
  * Does comment contain blacklisted characters or words.
  *
@@ -2778,8 +2815,22 @@ function wp_handle_comment_submission( $comment_data ) {
 		}
 	}
 
+	if ( isset( $comment_author ) && wp_get_comment_column_max_length( 'comment_author' ) < mb_strlen( $comment_author, '8bit' ) ) {
+		return new WP_Error( 'comment_author_column_length', __( '<strong>ERROR</strong>: your name is too long.' ), 200 );
+	}
+
+	if ( isset( $comment_author_email ) && wp_get_comment_column_max_length( 'comment_author_email' ) < strlen( $comment_author_email ) ) {
+		return new WP_Error( 'comment_author_email_column_length', __( '<strong>ERROR</strong>: your email address is too long.' ), 200 );
+	}
+
+	if ( isset( $comment_author_url ) && wp_get_comment_column_max_length( 'comment_author_url' ) < strlen( $comment_author_url ) ) {
+		return new WP_Error( 'comment_author_url_column_length', __( '<strong>ERROR</strong>: your url is too long.' ), 200 );
+	}
+
 	if ( '' == $comment_content ) {
 		return new WP_Error( 'require_valid_comment', __( '<strong>ERROR</strong>: please type a comment.' ), 200 );
+	} elseif ( wp_get_comment_column_max_length( 'comment_content' ) < mb_strlen( $comment_content, '8bit' ) ) {
+		return new WP_Error( 'comment_content_column_length', __( '<strong>ERROR</strong>: your comment is too long.' ), 200 );
 	}
 
 	$commentdata = compact(
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 94022f2feb..a0bc70adc9 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.5-alpha-36271';
+$wp_version = '4.5-alpha-36272';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.