Large top view
Welcome toShopXOEnterprise levelB2COpen source e-commerce system、Do not initiate payment for demonstration site、To avoid unnecessary property loss。

ShopXOEnterprise levelB2CE-commerce system provider - Demo Site

All classification
All classification

WordPressEnable color comments but do not causeXSSTips for vulnerabilities

Some time ago, I shared someXSSTips for fixing vulnerabilities,And I saidWordPressTo open color comments, you need tofunctions.phpInsert the following code in,That is, disableWordPressAutomatic filteringHTMLLabel mechanism:

remove_action('init', 'kses_init');remove_action('set_current_user', 'kses_init');

however,Disable filteringhtmlAfter label,Will causeXSSloophole。such as,If someone inserts maliciousjsJump Code,Then loading this page will cause the page to jump to the website designated by the reviewer!

that,How can we give consideration to both,Use both colored comments,But also to avoidXSSWhat about loopholes?

Originally in the last timeXSSVulnerability repair ideas(two)The article has shared the solution to code escape,But because I can't write everythingXSSFeature List,So this method is not strict,Not recommended。

Here's how to give consideration to both:

Analyze first:The font color isfontTag,such as<font color="red">gules</font>,WordPressBy default,When a user submits a tapehtmlTagged comments,Will pass oncehtmlfilter,Stored in the database,So the comments loaded are colorless。

Since it can't be prohibitedhtmlfilter,Then we can start with submission and loading,No need to submit<font>label,Then convert to<font>Label。

The implementation is very simple:

①、Handling before submission

Use short code in comments to submit colored comments,such as:[font color=red]Red Comments[/font];

Now that the problem of color review has been studied,Presumably, you should also integrate the quick color function in the comment box?

Similar to this:

WordPressEnable color comments but do not causeXSSTips for vulnerabilities

originally,Click the color to insert it automatically<font color="red">This label,Then we need to modify it firstjscode,Find where to insert this tag,Then change all angle brackets to square brackets,And remove the double quotation marks,That is to say, change it to[font color=colour][/color],As shown below:

WordPressEnable color comments but do not causeXSSTips for vulnerabilities

After saving,We have finished the processing before submission,The following describes the replacement processing during loading。

②、Replace on load

A. Edit thefunctions.php,At the last?>The following functions were added previously:

/*** WordPress Comment Color Short Code Replacement Function* Modified fromWordPresscomment_textfunction By Zhang Ge's Blog* Article address: **/function comment_text_diy( $comment_ID = 0, $args = array() ) {	$comment = get_comment( $comment_ID );	$comment_text = get_comment_text( $comment_ID , $args );	echo preg_replace('/\[color=(.*?)\](.*?)\[\/color\]/i','<font color="$1">$2</font>',apply_filters( 'comment_text', $comment_text, $comment, $args ));}

B. Edit the theme directorycommens.phpfile,searchwp_list_comments,Get the name of the topic comment callback function,such as:

<?php wp_list_comments('type=comment&callback=mytheme_comment&end-callback=mytheme_end_comment'); ?>

The callback function shown in the above code ismytheme_comment,I.ecallbackValue of。

then,Edit thefunctions.phpfile,searchmytheme_comment,Find the function,And change the<?php comment_text() ?> replace with<?php comment_text_diy() ?>that will do。That is to call our customized comment output function,The purpose is to replace the short color code in the comment with the corresponding color code when loading the commenthtmlcode,So as to achieve colored comments。

③、dealing with the aftermath

Different themes may require different remedial work,Take the robin I use now as an example,A module of recent messages may be placed in the sidebar of the home page,If the color short code in this article is applied,In the recent message module,Previously colored comments will be brought out[font color=red]Such short codes,Not very beautiful,So it is necessary to filter this data。

Edit Target File(Under the theme directoryincludes/widget/r_comments.php),find:


 Modified as:


Save it,That is, filter the short code when outputting comments。

This is just a case,If there are other items to be filtered,The principle is the same,Add the regular null mechanism,Go to the trouble yourself!


Open WeChat,Click on the bottom“find”

use“scan”You can share the webpage to your friends

Online consultation
open shrink

ShopXOOnline Service

Wechat customer service

Wechat code scanning consultation

User center
My Tracks
My collection
common 0 Kinds of goods total: ¥0.00

Your shopping cart is still empty,You can

  • Wechat applet

    Wechat applet
  • Wechat official account

    Wechat official account
Online Message
Back to top
Currently a demo site、Do not pay!!!