[wp-trac] [WordPress Trac] #28323: Incorrect HTML tag filtering in get_comments function.

WordPress Trac noreply at wordpress.org
Wed May 21 10:32:50 UTC 2014


#28323: Incorrect HTML tag filtering in get_comments function.
--------------------------+-----------------------------
 Reporter:  Rextc         |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Comments      |    Version:  3.9.1
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 When a guest or normal user posts a comment ending with open HTML tags,
 they are not properly closed if comments are shown using the
 get_comments() function. This does not occur when using the
 wp_list_comments() function.

 Example:
 Using get_comments(), the following <a> is not properly closed:
 {{{
 This is a great article.<a href="url to malicious site"><del>
 }}}

 This causes all the elements below that comment to become a link to the
 malicious site. The code being used to show these comments is outlined
 below.

 {{{
     <div id="comments">
         <?php
             $comments = get_comments(array("post_id" => get_the_ID(),
 'order' => 'ASC'));
             foreach ($comments as $comment) :
         ?>
         <div class="comment"><?php echo $comment->comment_content;
 ?></div>
         <?php endforeach; ?>
     </div>
 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/28323>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list