Address PR review feedback for emoji support

- Validate emoji downloads are actual images using wp_get_image_mime()
- Handle wp_mkdir_p() failure by cleaning up temp file
- Use glob for timestamp comparison to handle webp-optimized files
- Add unslash/re-slash in prepare_comment_data() to avoid escaping img attributes
- Add test for download failure handling

Author: obenland

includes/class-attachments.php

@@ -194,9 +194,10 @@ public static function import_emoji( $emoji_url, $updated = null ) {
 			// Compare timestamps - re-download if remote is newer.
 			$paths       = self::get_emoji_storage_paths( $emoji_url );
 			$url_path    = \wp_parse_url( $emoji_url, PHP_URL_PATH );
-			$file_name   = \sanitize_file_name( \basename( $url_path ) );
-			$file_path   = $paths['basedir'] . '/' . $file_name;
-			$local_time  = \file_exists( $file_path ) ? \filemtime( $file_path ) : 0;
+			$file_stem   = \sanitize_file_name( \pathinfo( $url_path, PATHINFO_FILENAME ) );
+			$matches     = \glob( $paths['basedir'] . '/' . $file_stem . '.*' );
+			$file_path   = ( $matches && \is_file( $matches[0] ) ) ? $matches[0] : null;
+			$local_time  = $file_path ? \filemtime( $file_path ) : 0;
 			$remote_time = \strtotime( $updated );
 
 			if ( $remote_time && $local_time >= $remote_time ) {
@@ -214,11 +215,19 @@ public static function import_emoji( $emoji_url, $updated = null ) {
 			return false;
 		}
 
+		if ( ! \wp_get_image_mime( $tmp_file ) ) {
+			\wp_delete_file( $tmp_file );
+			return false;
+		}
+
 		// Get storage paths for this emoji.
 		$paths = self::get_emoji_storage_paths( $emoji_url );
 
 		// Create directory if it doesn't exist.
-		\wp_mkdir_p( $paths['basedir'] );
+		if ( ! \wp_mkdir_p( $paths['basedir'] ) ) {
+			\wp_delete_file( $tmp_file );
+			return false;
+		}
 
 		// Generate filename from URL path (consistent with get_emoji_url lookup).
 		$url_path  = \wp_parse_url( $emoji_url, PHP_URL_PATH );

includes/class-emoji.php

@@ -26,7 +26,10 @@ class Emoji {
 	public static function prepare_comment_data( $comment_data, $activity ) {
 		// Replace emoji in content at insert-time.
 		if ( ! empty( $comment_data['comment_content'] ) && ! empty( $activity['object'] ) ) {
-			$comment_data['comment_content'] = self::replace_custom_emoji( $comment_data['comment_content'], $activity['object'] );
+			// Unslash, replace emoji, then re-slash to avoid escaping img tag attributes.
+			$content                         = \wp_unslash( $comment_data['comment_content'] );
+			$content                         = self::replace_custom_emoji( $content, $activity['object'] );
+			$comment_data['comment_content'] = \addslashes( $content );
 		}
 
 		return $comment_data;

tests/phpunit/tests/includes/class-test-attachments.php

@@ -1304,4 +1304,25 @@ public function test_import_emoji_returns_false_for_invalid_url() {
 		$this->assertFalse( Attachments::import_emoji( '' ) );
 		$this->assertFalse( Attachments::import_emoji( 'not-a-url' ) );
 	}
+
+	/**
+	 * Test emoji import returns false when download fails.
+	 *
+	 * @covers ::import_emoji
+	 */
+	public function test_import_emoji_returns_false_on_download_failure() {
+		$emoji_url = 'https://example.com/emoji/download-fail.png';
+
+		// Mock a failed HTTP request.
+		$fail_download = function () {
+			return new \WP_Error( 'http_request_failed', 'Connection failed' );
+		};
+		\add_filter( 'pre_http_request', $fail_download );
+
+		$result = Attachments::import_emoji( $emoji_url );
+
+		\remove_filter( 'pre_http_request', $fail_download );
+
+		$this->assertFalse( $result );
+	}
 }