allow <p> and <br /> only for Activities

includes/class-activitypub.php

@@ -39,8 +39,6 @@ class Activitypub {
 
 		\add_action( 'in_plugin_update_message-' . ACTIVITYPUB_PLUGIN_BASENAME, array( self::class, 'plugin_update_message' ) );
 
-		\add_filter( 'wp_kses_allowed_html', array( self::class, 'allowed_comment_html' ), 15, 2 );
-
 		// register several post_types
 		self::register_post_types();
 	}
@@ -337,32 +335,6 @@ class Activitypub {
 		);
 	}
 
-	/**
-	 * Adds line breaks to the list of allowed comment tags.
-	 *
-	 * @param  array  $allowed_tags Allowed HTML tags.
-	 * @param  string $context      Context.
-	 *
-	 * @return array Filtered tag list.
-	 */
-	public static function allowed_comment_html( $allowed_tags, $context = '' ) {
-		if ( 'pre_comment_content' !== $context ) {
-			// Do nothing.
-			return $allowed_tags;
-		}
-
-		// Add `p` and `br` to the list of allowed tags.
-		if ( ! array_key_exists( 'br', $allowed_tags ) ) {
-			$allowed_tags['br'] = array();
-		}
-
-		if ( ! array_key_exists( 'p', $allowed_tags ) ) {
-			$allowed_tags['p'] = array();
-		}
-
-		return $allowed_tags;
-	}
-
 	/**
 	 * Register the "Followers" Taxonomy
 	 *

includes/collection/class-interactions.php

@@ -55,7 +55,7 @@ class Interactions {
 			'comment_post_ID' => $comment_post_id,
 			'comment_author' => \esc_attr( $meta['name'] ),
 			'comment_author_url' => \esc_url_raw( $meta['url'] ),
-			'comment_content' => \addslashes( \wp_kses( $activity['object']['content'], 'pre_comment_content' ) ),
+			'comment_content' => \addslashes( $activity['object']['content'] ),
 			'comment_type' => 'comment',
 			'comment_author_email' => '',
 			'comment_parent' => $parent_comment ? $parent_comment->comment_ID : 0,
@@ -72,7 +72,6 @@ class Interactions {
 
 		// disable flood control
 		\remove_action( 'check_comment_flood', 'check_comment_flood_db', 10 );
-
 		// do not require email for AP entries
 		\add_filter( 'pre_option_require_name_email', '__return_false' );
 		// No nonce possible for this submission route
@@ -82,11 +81,12 @@ class Interactions {
 				return 'inactive';
 			}
 		);
+		\add_filter( 'wp_kses_allowed_html', array( self::class, 'allowed_comment_html' ), 10, 2 );
 
 		$comment = \wp_new_comment( $commentdata, true );
 
+		\remove_filter( 'wp_kses_allowed_html', array( self::class, 'allowed_comment_html' ), 10 );
 		\remove_filter( 'pre_option_require_name_email', '__return_false' );
-
 		// re-add flood control
 		\add_action( 'check_comment_flood', 'check_comment_flood_db', 10, 4 );
 
@@ -113,14 +113,13 @@ class Interactions {
 		//found a local comment id
 		$commentdata = \get_comment( $object_comment_id, ARRAY_A );
 		$commentdata['comment_author'] = \esc_attr( $meta['name'] ? $meta['name'] : $meta['preferredUsername'] );
-		$commentdata['comment_content'] = \addslashes( \wp_kses( $activity['object']['content'], 'pre_comment_content' ) );
+		$commentdata['comment_content'] = \addslashes( $activity['object']['content'] );
 		if ( isset( $meta['icon']['url'] ) ) {
 			$commentdata['comment_meta']['avatar_url'] = \esc_url_raw( $meta['icon']['url'] );
 		}
 
 		// disable flood control
 		\remove_action( 'check_comment_flood', 'check_comment_flood_db', 10 );
-
 		// do not require email for AP entries
 		\add_filter( 'pre_option_require_name_email', '__return_false' );
 		// No nonce possible for this submission route
@@ -130,11 +129,12 @@ class Interactions {
 				return 'inactive';
 			}
 		);
+		\add_filter( 'wp_kses_allowed_html', array( self::class, 'allowed_comment_html' ), 10, 2 );
 
 		$comment = \wp_update_comment( $commentdata, true );
 
+		\remove_filter( 'wp_kses_allowed_html', array( self::class, 'allowed_comment_html' ), 10 );
 		\remove_filter( 'pre_option_require_name_email', '__return_false' );
-
 		// re-add flood control
 		\add_action( 'check_comment_flood', 'check_comment_flood_db', 10, 4 );
 
@@ -204,4 +204,30 @@ class Interactions {
 		$comment_query = new WP_Comment_Query( $args );
 		return $comment_query->comments;
 	}
+
+	/**
+	 * Adds line breaks to the list of allowed comment tags.
+	 *
+	 * @param  array  $allowed_tags Allowed HTML tags.
+	 * @param  string $context      Context.
+	 *
+	 * @return array Filtered tag list.
+	 */
+	public static function allowed_comment_html( $allowed_tags, $context = '' ) {
+		if ( 'pre_comment_content' !== $context ) {
+			// Do nothing.
+			return $allowed_tags;
+		}
+
+		// Add `p` and `br` to the list of allowed tags.
+		if ( ! array_key_exists( 'br', $allowed_tags ) ) {
+			$allowed_tags['br'] = array();
+		}
+
+		if ( ! array_key_exists( 'p', $allowed_tags ) ) {
+			$allowed_tags['p'] = array();
+		}
+
+		return $allowed_tags;
+	}
 }

tests/test-class-activitypub-interactions.php

@@ -82,9 +82,31 @@ class Test_Activitypub_Interactions extends WP_UnitTestCase {
 
 	public function test_handle_create_rich() {
 		$comment_id = Activitypub\Collection\Interactions::add_comment( $this->create_test_rich_object() );
-		$comment   = get_comment( $comment_id, ARRAY_A );
+		$comment    = get_comment( $comment_id, ARRAY_A );
 
 		$this->assertEquals( 'Hello<br />example<p>example</p>', $comment['comment_content'] );
+
+		$commentarray = array(
+			'comment_post_ID'      => $this->post_id,
+			'comment_author'       => 'Example User',
+			'comment_author_url'   => $this->user_url,
+			'comment_content'      => 'Hello<br />example<p>example</p>',
+			'comment_type'         => 'comment',
+			'comment_author_email' => '',
+			'comment_parent'       => 0,
+			'comment_meta'         => array(
+				'source_id'  => 'https://example.com/123',
+				'source_url' => 'https://example.com/example',
+				'protocol'   => 'activitypub',
+			),
+		);
+
+		\remove_action( 'check_comment_flood', 'check_comment_flood_db', 10 );
+		$comment_id = wp_new_comment( $commentarray );
+		\add_action( 'check_comment_flood', 'check_comment_flood_db', 10, 4 );
+		$comment = get_comment( $comment_id, ARRAY_A );
+
+		$this->assertEquals( 'Helloexampleexample', $comment['comment_content'] );
 	}
 
 	public function test_convert_object_to_comment_not_reply_rejected() {