Process emoji after sanitization

Automattic · Feb 19, 2025 · 47a6493 · 47a6493
1 parent ae8b5e6
commit 47a6493
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 21 deletions.
diff --git a/includes/collection/class-interactions.php b/includes/collection/class-interactions.php
@@ -77,8 +77,22 @@ public static function update_comment( $activity ) {
 		}
 
 		// Found a local comment id.
-		$commentdata['comment_author']  = self::replace_custom_emoji( $meta['name'] ? $meta['name'] : $meta['preferredUsername'], $meta );
-		$commentdata['comment_content'] = \addslashes( self::replace_custom_emoji( $activity['object']['content'], $activity['object'] ) );
+		$commentdata['comment_author']  = \esc_attr( $meta['name'] ? $meta['name'] : $meta['preferredUsername'] );
+		$commentdata['comment_content'] = \addslashes( $activity['object']['content'] );
+
+		add_filter(
+			'pre_comment_author_name',
+			function ( $comment_author ) use ( $meta ) {
+				return self::replace_custom_emoji( $comment_author, $meta );
+			}
+		);
+		add_filter(
+			'pre_comment_content',
+			function ( $comment_content ) use ( $activity ) {
+				return self::replace_custom_emoji( $comment_content, $activity['object'] );
+			},
+			20
+		);
 
 		return self::persist( $commentdata, self::UPDATE );
 	}
@@ -209,22 +223,14 @@ public static function allowed_comment_html( $allowed_tags, $context = '' ) {
 		}
 
 		// Add `p` and `br` to the list of allowed tags.
-		if ( ! isset( $allowed_tags['br'] ) ) {
+		if ( ! array_key_exists( 'br', $allowed_tags ) ) {
 			$allowed_tags['br'] = array();
 		}
 
-		if ( ! isset( $allowed_tags['p'] ) ) {
+		if ( ! array_key_exists( 'p', $allowed_tags ) ) {
 			$allowed_tags['p'] = array();
 		}
 
-		if ( ! isset( $allowed_tags['img'] ) ) {
-			$allowed_tags['img'] = array(
-				'src'   => array(),
-				'alt'   => array(),
-				'class' => array(),
-			);
-		}
-
 		return $allowed_tags;
 	}
 
@@ -265,9 +271,9 @@ public static function activity_to_comment( $activity ) {
 		}
 
 		$commentdata = array(
-			'comment_author'       => self::replace_custom_emoji( $comment_author, $actor ),
+			'comment_author'       => \esc_attr( $comment_author ),
 			'comment_author_url'   => \esc_url_raw( $url ),
-			'comment_content'      => self::replace_custom_emoji( $comment_content, $activity['object'] ),
+			'comment_content'      => $comment_content,
 			'comment_type'         => 'comment',
 			'comment_author_email' => '',
 			'comment_meta'         => array(
@@ -284,6 +290,20 @@ public static function activity_to_comment( $activity ) {
 			$commentdata['comment_meta']['source_url'] = \esc_url_raw( object_to_uri( $activity['object']['url'] ) );
 		}
 
+		add_filter(
+			'pre_comment_author_name',
+			function ( $comment_author ) use ( $actor ) {
+				return self::replace_custom_emoji( $comment_author, $actor );
+			}
+		);
+		add_filter(
+			'pre_comment_content',
+			function ( $comment_content ) use ( $activity ) {
+				return self::replace_custom_emoji( $comment_content, $activity['object'] );
+			},
+			20
+		);
+
 		return $commentdata;
 	}
 

diff --git a/tests/includes/collection/class-test-interactions.php b/tests/includes/collection/class-test-interactions.php
@@ -489,11 +489,12 @@ public function test_activity_to_comment_with_emoji() {
 			'id'       => 'https://example.com/activities/1',
 			'type'     => 'Note',
 			'content'  => 'Hello world :kappa: and :smile:',
-			'actor'    => $this->user_url,
+			'actor'    => self::$user_url,
 			'object'   => array(
-				'id'      => 'https://example.com/objects/1',
-				'content' => 'Hello world :kappa: and :smile:',
-				'tag'     => array(
+				'id'        => 'https://example.com/objects/1',
+				'content'   => 'Hello world :kappa: and :smile:',
+				'inReplyTo' => self::$post_permalink,
+				'tag'       => array(
 					array(
 						'type' => 'Emoji',
 						'name' => ':kappa:',
@@ -516,15 +517,16 @@ public function test_activity_to_comment_with_emoji() {
 			),
 		);
 
-		$commentdata = Interactions::activity_to_comment( $activity );
+		$comment_id = Interactions::add_comment( $activity );
+		$comment    = get_comment( $comment_id );
 
 		$this->assertStringContainsString(
 			'<img src="https://example.com/files/kappa.png" alt=":kappa:" class="emoji" />',
-			$commentdata['comment_content']
+			$comment->comment_content
 		);
 		$this->assertStringContainsString(
 			'<img src="https://example.com/files/smile.png" alt=":smile:" class="emoji" />',
-			$commentdata['comment_content']
+			$comment->comment_content
 		);
 	}
 }