diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php index e6f79203fb..3eb8737578 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php @@ -520,7 +520,7 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { */ $prepared_comment = apply_filters( 'rest_pre_insert_comment', $prepared_comment, $request ); - $comment_id = wp_insert_comment( $prepared_comment ); + $comment_id = wp_insert_comment( wp_filter_comment( wp_slash( (array) $prepared_comment ) ) ); if ( ! $comment_id ) { return new WP_Error( 'rest_comment_failed_create', __( 'Creating comment failed.' ), array( 'status' => 500 ) ); @@ -644,7 +644,7 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { return new WP_Error( $error_code, __( 'Comment field exceeds maximum length allowed.' ), array( 'status' => 400 ) ); } - $updated = wp_update_comment( $prepared_args ); + $updated = wp_update_comment( wp_slash( (array) $prepared_args ) ); if ( 0 === $updated ) { return new WP_Error( 'rest_comment_failed_edit', __( 'Updating comment failed.' ), array( 'status' => 500 ) ); @@ -995,9 +995,9 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { * the 'content.raw' properties of the Request object. */ if ( isset( $request['content'] ) && is_string( $request['content'] ) ) { - $prepared_comment['comment_content'] = wp_filter_kses( $request['content'] ); + $prepared_comment['comment_content'] = $request['content']; } elseif ( isset( $request['content']['raw'] ) && is_string( $request['content']['raw'] ) ) { - $prepared_comment['comment_content'] = wp_filter_kses( $request['content']['raw'] ); + $prepared_comment['comment_content'] = $request['content']['raw']; } if ( isset( $request['post'] ) ) { diff --git a/wp-includes/version.php b/wp-includes/version.php index 7379c1ed21..43e8292d0d 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.7-beta2-39156'; +$wp_version = '4.7-beta2-39157'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.