Why escape HTML before escaping SQL?

  • Resolved teresax

    (@teresax)


    9 years, 2 months ago

    Can you remove the filter wp_kses?

    //Line 293 class.WpdiscuzCore.php
$comment_content = wp_kses(trim($wc_comment), $this->helper->wc_allowed_tags);

//Line 421 class.WpdiscuzCore.php
 'comment_content' => apply_filters('pre_comment_content', $commentContent),

    …Or add new hooks or filters for developers

    Thanks a lot!
    Best plugin ever!.

    https://www.ads-software.com/plugins/wpdiscuz/

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author gVectors Team

    (@gvectors-team)

    Thank you teresax,
    wp_kses() is the main content protection for website owners. It filters all unnecessary HTML codes. I’m sorry but we can’t remove it, it’ll bring lots of security issues. A new filter hook can’t avoid wp_kses(), because the final comment content should always be filtered by wp_kses().

    Thread Starter teresax

    (@teresax)

    Thanks for the reply

    The main problem is that If I write: \\
    I get \
    it’s not normal, don’t you think?

    This is what the code says:

    wp_new_comment

    Filters new comment to ensure that the fields are sanitized and valid before inserting comment into database. Calls ‘comment_post’ action with comment ID and whether comment is approved by WordPress. Also has ‘preprocess_comment’ filter for processing the comment data before the function handles it.

    wp_update_comment

    Filters the comment and makes sure certain fields are valid before updating.

    Plugin Author gVectors Team

    (@gvectors-team)

    Ok, Thank you teresax,
    we’ll check this. If I got some news I’ll update this topic.

    Hi guys. This is not to be underestimated considering the importance of the writing…

    Wp uses PDO there is no need to escape data if you use prepaired statements (wp_new_comment,wp_update_comment…). Moreover WordPress automatically adds slashes to all POST data…

    Maybe you could try a similar thing to check if that really is the problem?

    $wpdz = isset($_POST['wpdiscuzAjaxData']) ? $_POST['wpdiscuzAjaxData'] : '';
parse_str($wpdz, $wpdz_out);
$comment_content = isset($wpdz_out['wc_comment']) ? ($wpdz_out['wc_comment']) : '';

    OR

    $wpdz = isset($_POST['wpdiscuzAjaxData']) ? ($_POST['wpdiscuzAjaxData']) : '';
    parse_str($wpdz, $wpdz_out);
$comment_content = isset($wpdz_out['wc_comment']) ? wp_unslash($wpdz_out['wc_comment']) : '';

    OR

    $wpdz = isset($_POST['wpdiscuzAjaxData']) ? wp_unslash($_POST['wpdiscuzAjaxData']) : '';
    parse_str($wpdz, $wpdz_out);
$comment_content = isset($wpdz_out['wc_comment']) ? ($wpdz_out['wc_comment']) : '';

    Frankie.

    see the image
    https://i.imgur.com/5WD6o2O.jpg

    Plugin Author gVectors Team

    (@gvectors-team)

    Ok, thank you frankiet, we’ll check and fix this issue.

    Thread Starter teresax

    (@teresax)

    Is there any news?

    Plugin Author gVectors Team

    (@gvectors-team)

    This problem is fixed, please wait for the next version, it’ll be released very soon.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Why escape HTML before escaping SQL?’ is closed to new replies.