[wp-trac] [WordPress Trac] #8517: Regex Failure in check_comment()
WordPress Trac
wp-trac at lists.automattic.com
Sat Dec 6 22:32:37 GMT 2008
#8517: Regex Failure in check_comment()
-----------------------------+----------------------------------------------
Reporter: miqrogroove | Owner: ryan
Type: defect | Status: new
Priority: highest omg bbq | Milestone: 2.7
Component: Security | Version: 2.6.1
Severity: major | Keywords: miqrogroove, spam, blogyul, security
-----------------------------+----------------------------------------------
"Hold a comment in the queue if it contains 1 more more links." This
setting does not work. Comments with links are being posted without
moderation.
At the top of comment.php, WordPress is using the wrong regex:
"|(href\t*?=\t*?['\"]?)?(https?:)?//|i"
This is the wrong pattern because WordPress is much more liberal about
displaying links in comments.
default-filters.php calls
add_filter('comment_text', 'make_clickable', 9);
And in formatting.php we have
function make_clickable($ret) {
$ret = ' ' . $ret;
// in testing, using arrays here was found to be faster
$ret =
preg_replace_callback('#([\s>])([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*)#is',
'_make_url_clickable_cb', $ret);
$ret =
preg_replace_callback('#([\s>])((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*)#is',
'_make_web_ftp_clickable_cb', $ret);
$ret =
preg_replace_callback('#([\s>])([.0-9a-z_+-]+)@(([0-9a-z-]+\.)+[0-9a-z]{2,})#i',
'_make_email_clickable_cb', $ret);
// this one is not in an array because we need it to run last, for cleanup
of accidental links within links
$ret = preg_replace("#(<a( [^>]+?>|>))]+?>([^>]+?)#i", "$1$3", $ret);
$ret = trim($ret);
return $ret;
}
Now contrast this against the filter being used by check_comment(), which
is only "|(href\t*?=\t*?['\"]?)?(https?:)?//|i"
Copied from http://wordpress.org/support/topic/222956
--
Ticket URL: <http://trac.wordpress.org/ticket/8517>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list