Escaping comments when re-filling textarea after false captcha submit

  • Hey guys,

    I’m trying to fix a bug in the SimpleCAPTCHA plugin which will escape double and/or single quotes in a comment, but won’t sanitize the display before re-filling the comment field. Plus, when you repeatedly enter the wrong captcha, it will double- and triple- htmlencode ampersands and such.

    A comment like this:
    Lorem ipsum "Dolor Sit Amet", & consetetur

    , submitted with an incorrect captcha, will end up displaying like this:
    Lorem ipsum \"Dolor Sit Amet\", & amp; consetetur

    . Submit this again with a wrong captcha, and you get
    Lorem ipsum \"Dolor Sit Amet\", & amp; amp; consetetur
    .

    *added spaces after the ampersand.

    What the plugin does if the captcha is invalid:

    – it sends the comment form fields back to the same page, via POST, escaped with htmlspecialchars()
    – it pre-fills the comment form with your old comment and escapes it again with htmlspecialchars()

    So my problem is that I’m looking for a way to re-fill the comment form without opening up a loophole.

    Question: Would it be enough to str_replace any backslashes (\) before re-filling the comment form? More specifically, I’m looking for the function that WordPress uses itself to sanitze comments before writing them into the database.

    Any ideas?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter nublooo

    (@nublooo)

    Update if anyone is interested.

    – found the filter pre_comment_content, which runs before any comment content is inserted into the db, but could not make it work with SimpleCAPTCHA. With more testing and seeing how the function returns I’m sure it’s possible but unfortunaltey I don’t have the time right now.

    So I came up with a hack:

    – Replaced htmlspecialchars() with esc_attr() to prevent double encoding

    – Added a simple str_replace to filter out backslashes when the form is refilled:

    $trans = array("\r" => '\r', "\n" => '\n');
trim(strtr(str_replace('\\', '', esc_attr($_POST['comment1'])), $trans))

    This seems to work so far and will have to do until I find the time to get more into the pre_comment_content filter.

    Hope this helps if anyone is having the same issue.

    Use stripslashes for it is rather mysql sanitation than html encoding issue.
    https://www.php.net/manual/en/function.stripslashes.php

    ~epsi – iluni.org

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Escaping comments when re-filling textarea after false captcha submit’ is closed to new replies.