Skip to:
Content

bbPress.org

Changeset 6085


Ignore:
Timestamp:
08/30/2016 07:09:22 AM (5 years ago)
Author:
netweb
Message:

Moderation: Include topic and reply post content with and without HTML in moderation_keys and blacklist_keys checks.

This changeset ensures users cannot bypass the moderation word checks by wrapping parts of the word or term in HTML, e.g. bannedword could previously be bypassed using <em>banned</em>word

Fixes #2986.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/includes/common/functions.php

    r6058 r6085  
    884884    $_post['content'] = $content;
    885885
     886    // Ensure HTML tags are not being used to bypass the moderation list.
     887    $_post['comment_without_html'] = wp_strip_all_tags( $content );
     888
    886889    /** Words *****************************************************************/
    887890
     
    995998    $_post['title']   = $title;
    996999    $_post['content'] = $content;
     1000
     1001    // Ensure HTML tags are not being used to bypass the blacklist.
     1002    $_post['comment_without_html'] = wp_strip_all_tags( $content );
    9971003
    9981004    /** Words *****************************************************************/
  • trunk/tests/phpunit/testcases/common/functions.php

    r6084 r6085  
    863863
    864864    /**
     865     * @covers ::bbp_check_for_moderation
     866     */
     867    public function test_should_return_false_when_html_wrapped_content_matches_moderation_keys() {
     868        $u = $this->factory->user->create();
     869
     870        $t = $this->factory->topic->create( array(
     871            'post_author' => $u,
     872            'post_title' => 'Sting',
     873            'post_content' => 'Beware, there maybe bees <strong>hiber</strong><em>nating</em>.',
     874        ) );
     875
     876        $anonymous_data = false;
     877        $author_id      = bbp_get_topic_author_id( $t );
     878        $title          = bbp_get_topic_title( $t );
     879        $content        = bbp_get_topic_content( $t );
     880
     881        update_option( 'moderation_keys',"hibernating\nfoo" );
     882
     883        $result = bbp_check_for_moderation( $anonymous_data, $author_id, $title, $content );
     884
     885        $this->assertFalse( $result );
     886    }
     887
     888    /**
    865889     * @covers ::bbp_check_for_blacklist
    866890     */
     
    10411065
    10421066    /**
     1067     * @covers ::bbp_check_for_blacklist
     1068     */
     1069    public function test_should_return_false_when_html_wrapped_content_matches_blacklist_keys() {
     1070        $u = $this->factory->user->create();
     1071
     1072        $t = $this->factory->topic->create( array(
     1073            'post_author' => $u,
     1074            'post_title' => 'Sting',
     1075            'post_content' => 'Beware, there maybe bees <strong>hiber</strong><em>nating</em>.',
     1076        ) );
     1077
     1078        $anonymous_data = false;
     1079        $author_id      = bbp_get_topic_author_id( $t );
     1080        $title          = bbp_get_topic_title( $t );
     1081        $content        = bbp_get_topic_content( $t );
     1082
     1083        update_option( 'blacklist_keys',"hibernating\nfoo" );
     1084
     1085        $result = bbp_check_for_blacklist( $anonymous_data, $author_id, $title, $content );
     1086
     1087        $this->assertFalse( $result );
     1088    }
     1089
     1090    /**
    10431091     * @covers ::bbp_get_do_not_reply_address
    10441092     */
Note: See TracChangeset for help on using the changeset viewer.