allow <p> and <br /> only for Activities

This commit is contained in:
Matthias Pfefferle 2023-12-05 13:21:24 +01:00
parent cf541b41b4
commit db846729db
3 changed files with 55 additions and 35 deletions

View file

@ -39,8 +39,6 @@ class Activitypub {
\add_action( 'in_plugin_update_message-' . ACTIVITYPUB_PLUGIN_BASENAME, array( self::class, 'plugin_update_message' ) ); \add_action( 'in_plugin_update_message-' . ACTIVITYPUB_PLUGIN_BASENAME, array( self::class, 'plugin_update_message' ) );
\add_filter( 'wp_kses_allowed_html', array( self::class, 'allowed_comment_html' ), 15, 2 );
// register several post_types // register several post_types
self::register_post_types(); self::register_post_types();
} }
@ -337,32 +335,6 @@ class Activitypub {
); );
} }
/**
* Adds line breaks to the list of allowed comment tags.
*
* @param array $allowed_tags Allowed HTML tags.
* @param string $context Context.
*
* @return array Filtered tag list.
*/
public static function allowed_comment_html( $allowed_tags, $context = '' ) {
if ( 'pre_comment_content' !== $context ) {
// Do nothing.
return $allowed_tags;
}
// Add `p` and `br` to the list of allowed tags.
if ( ! array_key_exists( 'br', $allowed_tags ) ) {
$allowed_tags['br'] = array();
}
if ( ! array_key_exists( 'p', $allowed_tags ) ) {
$allowed_tags['p'] = array();
}
return $allowed_tags;
}
/** /**
* Register the "Followers" Taxonomy * Register the "Followers" Taxonomy
* *

View file

@ -55,7 +55,7 @@ class Interactions {
'comment_post_ID' => $comment_post_id, 'comment_post_ID' => $comment_post_id,
'comment_author' => \esc_attr( $meta['name'] ), 'comment_author' => \esc_attr( $meta['name'] ),
'comment_author_url' => \esc_url_raw( $meta['url'] ), 'comment_author_url' => \esc_url_raw( $meta['url'] ),
'comment_content' => \addslashes( \wp_kses( $activity['object']['content'], 'pre_comment_content' ) ), 'comment_content' => \addslashes( $activity['object']['content'] ),
'comment_type' => 'comment', 'comment_type' => 'comment',
'comment_author_email' => '', 'comment_author_email' => '',
'comment_parent' => $parent_comment ? $parent_comment->comment_ID : 0, 'comment_parent' => $parent_comment ? $parent_comment->comment_ID : 0,
@ -72,7 +72,6 @@ class Interactions {
// disable flood control // disable flood control
\remove_action( 'check_comment_flood', 'check_comment_flood_db', 10 ); \remove_action( 'check_comment_flood', 'check_comment_flood_db', 10 );
// do not require email for AP entries // do not require email for AP entries
\add_filter( 'pre_option_require_name_email', '__return_false' ); \add_filter( 'pre_option_require_name_email', '__return_false' );
// No nonce possible for this submission route // No nonce possible for this submission route
@ -82,11 +81,12 @@ class Interactions {
return 'inactive'; return 'inactive';
} }
); );
\add_filter( 'wp_kses_allowed_html', array( self::class, 'allowed_comment_html' ), 10, 2 );
$comment = \wp_new_comment( $commentdata, true ); $comment = \wp_new_comment( $commentdata, true );
\remove_filter( 'wp_kses_allowed_html', array( self::class, 'allowed_comment_html' ), 10 );
\remove_filter( 'pre_option_require_name_email', '__return_false' ); \remove_filter( 'pre_option_require_name_email', '__return_false' );
// re-add flood control // re-add flood control
\add_action( 'check_comment_flood', 'check_comment_flood_db', 10, 4 ); \add_action( 'check_comment_flood', 'check_comment_flood_db', 10, 4 );
@ -113,14 +113,13 @@ class Interactions {
//found a local comment id //found a local comment id
$commentdata = \get_comment( $object_comment_id, ARRAY_A ); $commentdata = \get_comment( $object_comment_id, ARRAY_A );
$commentdata['comment_author'] = \esc_attr( $meta['name'] ? $meta['name'] : $meta['preferredUsername'] ); $commentdata['comment_author'] = \esc_attr( $meta['name'] ? $meta['name'] : $meta['preferredUsername'] );
$commentdata['comment_content'] = \addslashes( \wp_kses( $activity['object']['content'], 'pre_comment_content' ) ); $commentdata['comment_content'] = \addslashes( $activity['object']['content'] );
if ( isset( $meta['icon']['url'] ) ) { if ( isset( $meta['icon']['url'] ) ) {
$commentdata['comment_meta']['avatar_url'] = \esc_url_raw( $meta['icon']['url'] ); $commentdata['comment_meta']['avatar_url'] = \esc_url_raw( $meta['icon']['url'] );
} }
// disable flood control // disable flood control
\remove_action( 'check_comment_flood', 'check_comment_flood_db', 10 ); \remove_action( 'check_comment_flood', 'check_comment_flood_db', 10 );
// do not require email for AP entries // do not require email for AP entries
\add_filter( 'pre_option_require_name_email', '__return_false' ); \add_filter( 'pre_option_require_name_email', '__return_false' );
// No nonce possible for this submission route // No nonce possible for this submission route
@ -130,11 +129,12 @@ class Interactions {
return 'inactive'; return 'inactive';
} }
); );
\add_filter( 'wp_kses_allowed_html', array( self::class, 'allowed_comment_html' ), 10, 2 );
$comment = \wp_update_comment( $commentdata, true ); $comment = \wp_update_comment( $commentdata, true );
\remove_filter( 'wp_kses_allowed_html', array( self::class, 'allowed_comment_html' ), 10 );
\remove_filter( 'pre_option_require_name_email', '__return_false' ); \remove_filter( 'pre_option_require_name_email', '__return_false' );
// re-add flood control // re-add flood control
\add_action( 'check_comment_flood', 'check_comment_flood_db', 10, 4 ); \add_action( 'check_comment_flood', 'check_comment_flood_db', 10, 4 );
@ -204,4 +204,30 @@ class Interactions {
$comment_query = new WP_Comment_Query( $args ); $comment_query = new WP_Comment_Query( $args );
return $comment_query->comments; return $comment_query->comments;
} }
/**
* Adds line breaks to the list of allowed comment tags.
*
* @param array $allowed_tags Allowed HTML tags.
* @param string $context Context.
*
* @return array Filtered tag list.
*/
public static function allowed_comment_html( $allowed_tags, $context = '' ) {
if ( 'pre_comment_content' !== $context ) {
// Do nothing.
return $allowed_tags;
}
// Add `p` and `br` to the list of allowed tags.
if ( ! array_key_exists( 'br', $allowed_tags ) ) {
$allowed_tags['br'] = array();
}
if ( ! array_key_exists( 'p', $allowed_tags ) ) {
$allowed_tags['p'] = array();
}
return $allowed_tags;
}
} }

View file

@ -82,9 +82,31 @@ class Test_Activitypub_Interactions extends WP_UnitTestCase {
public function test_handle_create_rich() { public function test_handle_create_rich() {
$comment_id = Activitypub\Collection\Interactions::add_comment( $this->create_test_rich_object() ); $comment_id = Activitypub\Collection\Interactions::add_comment( $this->create_test_rich_object() );
$comment = get_comment( $comment_id, ARRAY_A ); $comment = get_comment( $comment_id, ARRAY_A );
$this->assertEquals( 'Hello<br />example<p>example</p>', $comment['comment_content'] ); $this->assertEquals( 'Hello<br />example<p>example</p>', $comment['comment_content'] );
$commentarray = array(
'comment_post_ID' => $this->post_id,
'comment_author' => 'Example User',
'comment_author_url' => $this->user_url,
'comment_content' => 'Hello<br />example<p>example</p>',
'comment_type' => 'comment',
'comment_author_email' => '',
'comment_parent' => 0,
'comment_meta' => array(
'source_id' => 'https://example.com/123',
'source_url' => 'https://example.com/example',
'protocol' => 'activitypub',
),
);
\remove_action( 'check_comment_flood', 'check_comment_flood_db', 10 );
$comment_id = wp_new_comment( $commentarray );
\add_action( 'check_comment_flood', 'check_comment_flood_db', 10, 4 );
$comment = get_comment( $comment_id, ARRAY_A );
$this->assertEquals( 'Helloexampleexample', $comment['comment_content'] );
} }
public function test_convert_object_to_comment_not_reply_rejected() { public function test_convert_object_to_comment_not_reply_rejected() {