Comments: Apply kses when editing comments.

Props davidbaumwald, xknown, peterwilsoncc, paulkevan.


git-svn-id: https://develop.svn.wordpress.org/trunk@54527 602fd350-edb4-49c9-b593-d223f7449a82

Author: audrasjb

src/wp-includes/comment.php

@@ -2499,6 +2499,15 @@ function wp_update_comment( $commentarr, $wp_error = false ) {
 		}
 	}
 
+	$filter_comment = false;
+	if ( ! has_filter( 'pre_comment_content', 'wp_filter_kses' ) ) {
+		$filter_comment = ! user_can( isset( $comment['user_id'] ) ? $comment['user_id'] : 0, 'unfiltered_html' );
+	}
+
+	if ( $filter_comment ) {
+		add_filter( 'pre_comment_content', 'wp_filter_kses' );
+	}
+
 	// Escape data pulled from DB.
 	$comment = wp_slash( $comment );
 
@@ -2509,6 +2518,10 @@ function wp_update_comment( $commentarr, $wp_error = false ) {
 
 	$commentarr = wp_filter_comment( $commentarr );
 
+	if ( $filter_comment ) {
+		remove_filter( 'pre_comment_content', 'wp_filter_kses' );
+	}
+
 	// Now extract the merged array.
 	$data = wp_unslash( $commentarr );
 

tests/phpunit/tests/comment.php

@@ -81,6 +81,90 @@ public function test_wp_update_comment() {
 		$this->assertEquals( $post2->ID, $comment->comment_post_ID );
 	}
 
+	public function test_update_comment_from_privileged_user_by_privileged_user() {
+		$admin_id_1 = self::factory()->user->create( array( 'role' => 'administrator' ) );
+		wp_set_current_user( $admin_id_1 );
+
+		$comment_id = wp_new_comment(
+			array(
+				'comment_post_ID'      => self::$post_id,
+				'comment_author'       => 'Author',
+				'comment_author_url'   => 'http://example.localhost/',
+				'comment_author_email' => '[email protected]',
+				'user_id'              => $admin_id_1,
+				'comment_content'      => 'This is a comment',
+			)
+		);
+
+		wp_set_current_user( 0 );
+
+		$admin_id_2 = self::factory()->user->create(
+			array(
+				'role'       => 'administrator',
+				'user_login' => 'test_wp_admin_get',
+				'user_pass'  => 'password',
+				'user_email' => '[email protected]',
+			)
+		);
+
+		wp_set_current_user( $admin_id_2 );
+
+		wp_update_comment(
+			array(
+				'comment_ID'      => $comment_id,
+				'comment_content' => 'new comment <img onerror=demo src=x>',
+			)
+		);
+
+		$comment          = get_comment( $comment_id );
+		$expected_content = is_multisite()
+			? 'new comment '
+			: 'new comment <img onerror=demo src=x>';
+
+		$this->assertSame( $expected_content, $comment->comment_content );
+
+		wp_set_current_user( 0 );
+	}
+
+	public function test_update_comment_from_unprivileged_user_by_privileged_user() {
+		wp_set_current_user( self::$user_id );
+
+		$comment_id = wp_new_comment(
+			array(
+				'comment_post_ID'      => self::$post_id,
+				'comment_author'       => 'Author',
+				'comment_author_url'   => 'http://example.localhost/',
+				'comment_author_email' => '[email protected]',
+				'user_id'              => self::$user_id,
+				'comment_content'      => '<a href="http://example.localhost/something.html">click</a>',
+			)
+		);
+
+		wp_set_current_user( 0 );
+
+		$admin_id = self::factory()->user->create(
+			array(
+				'role'       => 'administrator',
+				'user_login' => 'test_wp_admin_get',
+				'user_pass'  => 'password',
+				'user_email' => '[email protected]',
+			)
+		);
+
+		wp_set_current_user( $admin_id );
+
+		wp_update_comment(
+			array(
+				'comment_ID'      => $comment_id,
+				'comment_content' => '<a href="http://example.localhost/something.html" disallowed=attribute>click</a>',
+			)
+		);
+
+		$comment = get_comment( $comment_id );
+		$this->assertEquals( '<a href="http://example.localhost/something.html" rel="nofollow ugc">click</a>', $comment->comment_content, 'Comment: ' . $comment->comment_content );
+		wp_set_current_user( 0 );
+	}
+
 	/**
 	 * @ticket 30627
 	 *

tests/phpunit/tests/rest-api/rest-comments-controller.php

@@ -2972,6 +2972,7 @@ public function test_comment_roundtrip_as_editor_unfiltered_html() {
 					'content'           => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
 					'author_name'       => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
 					'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+					'author'            => self::$editor_id,
 				),
 				array(
 					'content'           => array(
@@ -2980,6 +2981,7 @@ public function test_comment_roundtrip_as_editor_unfiltered_html() {
 					),
 					'author_name'       => 'div strong',
 					'author_user_agent' => 'div strong',
+					'author'            => self::$editor_id,
 				)
 			);
 		} else {
@@ -2989,6 +2991,7 @@ public function test_comment_roundtrip_as_editor_unfiltered_html() {
 					'content'           => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
 					'author_name'       => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
 					'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+					'author'            => self::$editor_id,
 				),
 				array(
 					'content'           => array(
@@ -2997,6 +3000,7 @@ public function test_comment_roundtrip_as_editor_unfiltered_html() {
 					),
 					'author_name'       => 'div strong',
 					'author_user_agent' => 'div strong',
+					'author'            => self::$editor_id,
 				)
 			);
 		}
@@ -3011,6 +3015,7 @@ public function test_comment_roundtrip_as_superadmin() {
 				'content'           => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
 				'author_name'       => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
 				'author_user_agent' => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
+				'author'            => self::$superadmin_id,
 			),
 			array(
 				'content'           => array(
@@ -3019,6 +3024,7 @@ public function test_comment_roundtrip_as_superadmin() {
 				),
 				'author_name'       => '\\\&amp;\\\ &amp; &amp;invalid; &lt; &lt; &amp;lt;',
 				'author_user_agent' => '\\\&\\\ &amp; &invalid; &lt; &lt; &amp;lt;',
+				'author'            => self::$superadmin_id,
 			)
 		);
 	}
@@ -3032,6 +3038,7 @@ public function test_comment_roundtrip_as_superadmin_unfiltered_html() {
 				'content'           => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
 				'author_name'       => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
 				'author_user_agent' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+				'author'            => self::$superadmin_id,
 			),
 			array(
 				'content'           => array(
@@ -3040,6 +3047,7 @@ public function test_comment_roundtrip_as_superadmin_unfiltered_html() {
 				),
 				'author_name'       => 'div strong',
 				'author_user_agent' => 'div strong',
+				'author'            => self::$superadmin_id,
 			)
 		);
 	}