Skip to content

Comments: Fix content stripping between < and > when used for comparison #9468

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from
Closed

Comments: Fix content stripping between < and > when used for comparison #9468

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
849a199
fix: escaping of < and > in admin comment list
BugReportOnWeb Aug 13, 2025
82e1d10
fix: scope encoding for users with unfiltered_html permission
BugReportOnWeb Aug 27, 2025
b946a21
Merge branch 'trunk' into fix/admin-comment-symbol-strip
BugReportOnWeb Aug 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions src/wp-includes/comment-template.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1076,6 +1076,18 @@ function comment_text( $comment_id = 0, $args = array() ) {

$comment_text = get_comment_text( $comment, $args );

if ( current_user_can( 'unfiltered_html' ) ) {
// Encode < and > in a numeric comparisons,
// to prevent them being parsed as HTML tags.
$comment_text = preg_replace_callback(
'/(<)(\s*\d+(?:\.\d+)?[^<>]*?)(>)(\s*\d+(?:\.\d+)?)/',
Copy link

@q0rban q0rban Aug 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this may be a bit too restrictive. For example, the following math expression would NOT get matched by this regex:

5 < x > 3

https://regexr.com/8gpd8

I suspect there are just too many possible math expressions out there to craft a proper regex to capture them. Instead, perhaps we just run esc_html() on the comment text?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the review! I agree it's hard to capture everything with just a regex. Initially, I though about escaping the characters using esc_html(), but that results in escaping any anchor tags as well:

Before After
Screenshot 2025-08-27 at 1 18 52 PM Screenshot 2025-08-27 at 1 11 50 PM

I wasn't sure if it's ideal to have these elements escaped in the comment list or not. Please let me know if I can make this change.

function ( $matches ) {
return htmlspecialchars( $matches[1] ) . $matches[2] . htmlspecialchars( $matches[3] ) . $matches[4];
},
$comment_text
);
}

/**
* Filters the text of a comment to be displayed.
*
Expand Down
Loading