Changeset 6085

Timestamp:

08/30/2016 07:09:22 AM (7 years ago)

Author:

netweb

Message:

Moderation: Include topic and reply post content with and without HTML in moderation_keys and blacklist_keys checks.

This changeset ensures users cannot bypass the moderation word checks by wrapping parts of the word or term in HTML, e.g. bannedword could previously be bypassed using <em>banned</em>word

Fixes #2986.

Location:

trunk

Files:

• src/includes/common/functions.php (modified) (2 diffs)
• tests/phpunit/testcases/common/functions.php (modified) (2 diffs)

trunk/src/includes/common/functions.php

@@ -884 +884 @@
     $_post['content'] = $content;
 
+    // Ensure HTML tags are not being used to bypass the moderation list.
+    $_post['comment_without_html'] = wp_strip_all_tags( $content );
+
     /** Words *****************************************************************/
 
@@ -995 +998 @@
     $_post['title']   = $title;
     $_post['content'] = $content;
+
+    // Ensure HTML tags are not being used to bypass the blacklist.
+    $_post['comment_without_html'] = wp_strip_all_tags( $content );
 
     /** Words *****************************************************************/

trunk/tests/phpunit/testcases/common/functions.php

@@ -863 +863 @@
 
     /**
+     * @covers ::bbp_check_for_moderation
+     */
+    public function test_should_return_false_when_html_wrapped_content_matches_moderation_keys() {
+        $u = $this->factory->user->create();
+
+        $t = $this->factory->topic->create( array(
+            'post_author' => $u,
+            'post_title' => 'Sting',
+            'post_content' => 'Beware, there maybe bees <strong>hiber</strong><em>nating</em>.',
+        ) );
+
+        $anonymous_data = false;
+        $author_id      = bbp_get_topic_author_id( $t );
+        $title          = bbp_get_topic_title( $t );
+        $content        = bbp_get_topic_content( $t );
+
+        update_option( 'moderation_keys',"hibernating\nfoo" );
+
+        $result = bbp_check_for_moderation( $anonymous_data, $author_id, $title, $content );
+
+        $this->assertFalse( $result );
+    }
+
+    /**
      * @covers ::bbp_check_for_blacklist
      */
@@ -1041 +1065 @@
 
     /**
+     * @covers ::bbp_check_for_blacklist
+     */
+    public function test_should_return_false_when_html_wrapped_content_matches_blacklist_keys() {
+        $u = $this->factory->user->create();
+
+        $t = $this->factory->topic->create( array(
+            'post_author' => $u,
+            'post_title' => 'Sting',
+            'post_content' => 'Beware, there maybe bees <strong>hiber</strong><em>nating</em>.',
+        ) );
+
+        $anonymous_data = false;
+        $author_id      = bbp_get_topic_author_id( $t );
+        $title          = bbp_get_topic_title( $t );
+        $content        = bbp_get_topic_content( $t );
+
+        update_option( 'blacklist_keys',"hibernating\nfoo" );
+
+        $result = bbp_check_for_blacklist( $anonymous_data, $author_id, $title, $content );
+
+        $this->assertFalse( $result );
+    }
+
+    /**
      * @covers ::bbp_get_do_not_reply_address
      */