From efd98acd0bf3f2c42f0ffc3d8f10920e74cb8512 Mon Sep 17 00:00:00 2001 From: Jan Boddez Date: Mon, 13 Nov 2023 10:19:35 +0100 Subject: [PATCH] Fix #493 (#497) * Fix #493 * Fix parenthesis * Allow `p` and `br` tags only for AP comments --------- Co-authored-by: Matthias Pfefferle --- includes/rest/class-inbox.php | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/includes/rest/class-inbox.php b/includes/rest/class-inbox.php index 9088993..2cedf15 100644 --- a/includes/rest/class-inbox.php +++ b/includes/rest/class-inbox.php @@ -366,7 +366,7 @@ class Inbox { 'comment_post_ID' => $comment_post_id, 'comment_author' => \esc_attr( $meta['name'] ), 'comment_author_url' => \esc_url_raw( $object['actor'] ), - 'comment_content' => \wp_filter_kses( $object['object']['content'] ), + 'comment_content' => addslashes( \wp_kses( $object['object']['content'], 'pre_comment_content' ) ), 'comment_type' => 'comment', 'comment_author_email' => '', 'comment_parent' => 0, @@ -391,8 +391,11 @@ class Inbox { } ); + \add_filter( 'wp_kses_allowed_html', array( self::class, 'allowed_comment_html' ), 10, 2 ); + $state = \wp_new_comment( $commentdata, true ); + \remove_filter( 'wp_kses_allowed_html', array( self::class, 'allowed_comment_html' ) ); \remove_filter( 'pre_option_require_name_email', '__return_false' ); // re-add flood control @@ -483,4 +486,29 @@ class Inbox { return in_array( 'https://www.w3.org/ns/activitystreams#Public', $recipients, true ); } + + /** + * Adds line breaks to the list of allowed comment tags. + * + * @param array $allowedtags Allowed HTML tags. + * @param string $context Context. + * @return array Filtered tag list. + */ + public static function allowed_comment_html( $allowedtags, $context = '' ) { + if ( 'pre_comment_content' !== $context ) { + // Do nothing. + return $allowedtags; + } + + // Add `p` and `br` to the list of allowed tags. + if ( ! array_key_exists( 'br', $allowedtags ) ) { + $allowedtags['br'] = array(); + } + + if ( ! array_key_exists( 'p', $allowedtags ) ) { + $allowedtags['p'] = array(); + } + + return $allowedtags; + } }