Comments: Ensure that unmoderated comments won't be search indexed.

SergeyBiryukov · SergeyBiryukov · commit a0d1d6bfd368 · 2020-06-06T09:51:22.000Z
After a comment is submitted, only allow a brief window where the comment is live on the site. Props jonkolbert, ayeshrajans, Asif2BD, peterwilsoncc, imath, audrasjb, jonoaldersonwp, whyisjake, SergeyBiryukov. Merges [47887] and [47889] to the 5.3 branch. See #49956. git-svn-id: https://develop.svn.wordpress.org/branches/5.3@47916 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-comments-post.php b/src/wp-comments-post.php
@@ -56,8 +56,8 @@
 
 $location = empty( $_POST['redirect_to'] ) ? get_comment_link( $comment ) : $_POST['redirect_to'] . '#comment-' . $comment->comment_ID;
 
-// Add specific query arguments to display the awaiting moderation message.
-if ( 'unapproved' === wp_get_comment_status( $comment ) && ! empty( $comment->comment_author_email ) ) {
+// If user didn't consent to cookies, add specific query arguments to display the awaiting moderation message.
+if ( ! $cookies_consent && 'unapproved' === wp_get_comment_status( $comment ) && ! empty( $comment->comment_author_email ) ) {
 	$location = add_query_arg(
 		array(
 			'unapproved'      => $comment->comment_ID,
diff --git a/src/wp-includes/class-walker-comment.php b/src/wp-includes/class-walker-comment.php
@@ -181,7 +181,11 @@ public function start_el( &$output, $comment, $depth = 0, $args = array(), $id =
 			return;
 		}
 
-		if ( ( 'pingback' == $comment->comment_type || 'trackback' == $comment->comment_type ) && $args['short_ping'] ) {
+		if ( 'comment' === $comment->comment_type ) {
+			add_filter( 'comment_text', array( $this, 'filter_comment_text' ), 40, 2 );
+		}
+
+		if ( ( 'pingback' === $comment->comment_type || 'trackback' === $comment->comment_type ) && $args['short_ping'] ) {
 			ob_start();
 			$this->ping( $comment, $depth, $args );
 			$output .= ob_get_clean();
@@ -194,6 +198,10 @@ public function start_el( &$output, $comment, $depth = 0, $args = array(), $id =
 			$this->comment( $comment, $depth, $args );
 			$output .= ob_get_clean();
 		}
+
+		if ( 'comment' === $comment->comment_type ) {
+			remove_filter( 'comment_text', array( $this, 'filter_comment_text' ), 40, 2 );
+		}
 	}
 
 	/**
@@ -244,6 +252,29 @@ protected function ping( $comment, $depth, $args ) {
 		<?php
 	}
 
+	/**
+	 * Filters the comment text.
+	 *
+	 * Removes links from the pending comment's text if the commenter did not consent
+	 * to the comment cookies.
+	 *
+	 * @since 5.4.2
+	 *
+	 * @param string          $comment_text Text of the current comment.
+	 * @param WP_Comment|null $comment      The comment object. Null if not found.
+	 * @return string Filtered text of the current comment.
+	 */
+	public function filter_comment_text( $comment_text, $comment ) {
+		$commenter          = wp_get_current_commenter();
+		$show_pending_links = ! empty( $commenter['comment_author'] );
+
+		if ( $comment && '0' == $comment->comment_approved && ! $show_pending_links ) {
+			$comment_text = wp_kses( $comment_text, array() );
+		}
+
+		return $comment_text;
+	}
+
 	/**
 	 * Outputs a single comment.
 	 *
@@ -264,13 +295,14 @@ protected function comment( $comment, $depth, $args ) {
 			$add_below = 'div-comment';
 		}
 
-		$commenter = wp_get_current_commenter();
+		$commenter          = wp_get_current_commenter();
+		$show_pending_links = isset( $commenter['comment_author'] ) && $commenter['comment_author'];
+
 		if ( $commenter['comment_author_email'] ) {
 			$moderation_note = __( 'Your comment is awaiting moderation.' );
 		} else {
 			$moderation_note = __( 'Your comment is awaiting moderation. This is a preview, your comment will be visible after it has been approved.' );
 		}
-
 		?>
 		<<?php echo $tag; ?> <?php comment_class( $this->has_children ? 'parent' : '', $comment ); ?> id="comment-<?php comment_ID(); ?>">
 		<?php if ( 'div' != $args['style'] ) : ?>
@@ -279,14 +311,21 @@ protected function comment( $comment, $depth, $args ) {
 		<div class="comment-author vcard">
 			<?php
 			if ( 0 != $args['avatar_size'] ) {
-				echo get_avatar( $comment, $args['avatar_size'] );}
+				echo get_avatar( $comment, $args['avatar_size'] );
+			}
 			?>
 			<?php
-				printf(
-					/* translators: %s: Comment author link. */
-					__( '%s <span class="says">says:</span>' ),
-					sprintf( '<cite class="fn">%s</cite>', get_comment_author_link( $comment ) )
-				);
+			$comment_author = get_comment_author_link( $comment );
+
+			if ( '0' == $comment->comment_approved && ! $show_pending_links ) {
+				$comment_author = get_comment_author( $comment );
+			}
+
+			printf(
+				/* translators: %s: Comment author link. */
+				__( '%s <span class="says">says:</span>' ),
+				sprintf( '<cite class="fn">%s</cite>', $comment_author )
+			);
 			?>
 		</div>
 		<?php if ( '0' == $comment->comment_approved ) : ?>
@@ -354,13 +393,14 @@ protected function comment( $comment, $depth, $args ) {
 	protected function html5_comment( $comment, $depth, $args ) {
 		$tag = ( 'div' === $args['style'] ) ? 'div' : 'li';
 
-		$commenter = wp_get_current_commenter();
+		$commenter          = wp_get_current_commenter();
+		$show_pending_links = ! empty( $commenter['comment_author'] );
+
 		if ( $commenter['comment_author_email'] ) {
 			$moderation_note = __( 'Your comment is awaiting moderation.' );
 		} else {
 			$moderation_note = __( 'Your comment is awaiting moderation. This is a preview, your comment will be visible after it has been approved.' );
 		}
-
 		?>
 		<<?php echo $tag; ?> id="comment-<?php comment_ID(); ?>" <?php comment_class( $this->has_children ? 'parent' : '', $comment ); ?>>
 			<article id="div-comment-<?php comment_ID(); ?>" class="comment-body">
@@ -372,11 +412,17 @@ protected function html5_comment( $comment, $depth, $args ) {
 						}
 						?>
 						<?php
-							printf(
-								/* translators: %s: Comment author link. */
-								__( '%s <span class="says">says:</span>' ),
-								sprintf( '<b class="fn">%s</b>', get_comment_author_link( $comment ) )
-							);
+						$comment_author = get_comment_author_link( $comment );
+
+						if ( '0' == $comment->comment_approved && ! $show_pending_links ) {
+							$comment_author = get_comment_author( $comment );
+						}
+
+						printf(
+							/* translators: %s: Comment author link. */
+							__( '%s <span class="says">says:</span>' ),
+							sprintf( '<b class="fn">%s</b>', $comment_author )
+						);
 						?>
 					</div><!-- .comment-author -->
 
@@ -402,18 +448,20 @@ protected function html5_comment( $comment, $depth, $args ) {
 				</div><!-- .comment-content -->
 
 				<?php
-				comment_reply_link(
-					array_merge(
-						$args,
-						array(
-							'add_below' => 'div-comment',
-							'depth'     => $depth,
-							'max_depth' => $args['max_depth'],
-							'before'    => '<div class="reply">',
-							'after'     => '</div>',
+				if ( '1' == $comment->comment_approved || $show_pending_links ) {
+					comment_reply_link(
+						array_merge(
+							$args,
+							array(
+								'add_below' => 'div-comment',
+								'depth'     => $depth,
+								'max_depth' => $args['max_depth'],
+								'before'    => '<div class="reply">',
+								'after'     => '</div>',
+							)
 						)
-					)
-				);
+					);
+				}
 				?>
 			</article><!-- .comment-body -->
 		<?php
diff --git a/src/wp-includes/class-wp-comment-query.php b/src/wp-includes/class-wp-comment-query.php
@@ -553,10 +553,15 @@ protected function get_comment_ids() {
 				// Numeric values are assumed to be user ids.
 				if ( is_numeric( $unapproved_identifier ) ) {
 					$approved_clauses[] = $wpdb->prepare( "( user_id = %d AND comment_approved = '0' )", $unapproved_identifier );
-
-					// Otherwise we match against email addresses.
 				} else {
-					$approved_clauses[] = $wpdb->prepare( "( comment_author_email = %s AND comment_approved = '0' )", $unapproved_identifier );
+					// Otherwise we match against email addresses.
+					if ( ! empty( $_GET['unapproved'] ) && ! empty( $_GET['moderation-hash'] ) ) {
+						// Only include requested comment.
+						$approved_clauses[] = $wpdb->prepare( "( comment_author_email = %s AND comment_approved = '0' AND comment_ID = %d )", $unapproved_identifier, (int) $_GET['unapproved'] );
+					} else {
+						// Include all of the author's unapproved comments.
+						$approved_clauses[] = $wpdb->prepare( "( comment_author_email = %s AND comment_approved = '0' )", $unapproved_identifier );
+					}
 				}
 			}
 		}
diff --git a/src/wp-includes/class-wp.php b/src/wp-includes/class-wp.php
@@ -403,6 +403,10 @@ public function send_headers() {
 
 		if ( is_user_logged_in() ) {
 			$headers = array_merge( $headers, wp_get_nocache_headers() );
+		} elseif ( ! empty( $_GET['unapproved'] ) && ! empty( $_GET['moderation-hash'] ) ) {
+			// Unmoderated comments are only visible for one minute via the moderation hash.
+			$headers['Expires']       = gmdate( 'D, d M Y H:i:s', time() + MINUTE_IN_SECONDS );
+			$headers['Cache-Control'] = 'max-age=60, must-revalidate';
 		}
 		if ( ! empty( $this->query_vars['error'] ) ) {
 			$status = (int) $this->query_vars['error'];
diff --git a/src/wp-includes/comment-template.php b/src/wp-includes/comment-template.php
@@ -997,7 +997,7 @@ function comment_text( $comment_ID = 0, $args = array() ) {
 	 * @see Walker_Comment::comment()
 	 *
 	 * @param string          $comment_text Text of the current comment.
-	 * @param WP_Comment|null $comment      The comment object.
+	 * @param WP_Comment|null $comment      The comment object. Null if not found.
 	 * @param array           $args         An array of arguments.
 	 */
 	echo apply_filters( 'comment_text', $comment_text, $comment, $args );
diff --git a/src/wp-includes/comment.php b/src/wp-includes/comment.php
@@ -1831,7 +1831,12 @@ function wp_get_unapproved_comment_author_email() {
 		$comment    = get_comment( $comment_id );
 
 		if ( $comment && hash_equals( $_GET['moderation-hash'], wp_hash( $comment->comment_date_gmt ) ) ) {
-			$commenter_email = $comment->comment_author_email;
+			// The comment will only be viewable by the comment author for 1 minute.
+			$comment_preview_expires = strtotime( $comment->comment_date_gmt . '+1 minute' );
+
+			if ( time() < $comment_preview_expires ) {
+				$commenter_email = $comment->comment_author_email;
+			}
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -553,10 +553,15 @@ protected function get_comment_ids() {`
`553`	`553`	`// Numeric values are assumed to be user ids.`
`554`	`554`	`if ( is_numeric( $unapproved_identifier ) ) {`
`555`	`555`	`$approved_clauses[] = $wpdb->prepare( "( user_id = %d AND comment_approved = '0' )", $unapproved_identifier );`
`556`		`-`
`557`		`- // Otherwise we match against email addresses.`
`558`	`556`	`} else {`
`559`		`- $approved_clauses[] = $wpdb->prepare( "( comment_author_email = %s AND comment_approved = '0' )", $unapproved_identifier );`
	`557`	`+ // Otherwise we match against email addresses.`
	`558`	`+ if ( ! empty( $_GET['unapproved'] ) && ! empty( $_GET['moderation-hash'] ) ) {`
	`559`	`+ // Only include requested comment.`
	`560`	`+ $approved_clauses[] = $wpdb->prepare( "( comment_author_email = %s AND comment_approved = '0' AND comment_ID = %d )", $unapproved_identifier, (int) $_GET['unapproved'] );`
	`561`	`+ } else {`
	`562`	`+ // Include all of the author's unapproved comments.`
	`563`	`+ $approved_clauses[] = $wpdb->prepare( "( comment_author_email = %s AND comment_approved = '0' )", $unapproved_identifier );`
	`564`	`+ }`
`560`	`565`	`}`
`561`	`566`	`}`
`562`	`567`	`}`
Original file line number	Diff line number	Diff line change
`@@ -997,7 +997,7 @@ function comment_text( $comment_ID = 0, $args = array() ) {`
`997`	`997`	`* @see Walker_Comment::comment()`
`998`	`998`	`*`
`999`	`999`	`* @param string $comment_text Text of the current comment.`
`1000`		`- * @param WP_Comment\|null $comment The comment object.`
	`1000`	`+ * @param WP_Comment\|null $comment The comment object. Null if not found.`
`1001`	`1001`	`* @param array $args An array of arguments.`
`1002`	`1002`	`*/`
`1003`	`1003`	`echo apply_filters( 'comment_text', $comment_text, $comment, $args );`
Original file line number	Diff line number	Diff line change
`@@ -1831,7 +1831,12 @@ function wp_get_unapproved_comment_author_email() {`
`1831`	`1831`	`$comment = get_comment( $comment_id );`
`1832`	`1832`
`1833`	`1833`	`if ( $comment && hash_equals( $_GET['moderation-hash'], wp_hash( $comment->comment_date_gmt ) ) ) {`
`1834`		`- $commenter_email = $comment->comment_author_email;`
	`1834`	`+ // The comment will only be viewable by the comment author for 1 minute.`
	`1835`	`+ $comment_preview_expires = strtotime( $comment->comment_date_gmt . '+1 minute' );`
	`1836`	`+`
	`1837`	`+ if ( time() < $comment_preview_expires ) {`
	`1838`	`+ $commenter_email = $comment->comment_author_email;`
	`1839`	`+ }`
`1835`	`1840`	`}`
`1836`	`1841`	`}`
`1837`	`1842`