解决comment_class或body_class输出暴露注册用户名的问题

/ 0评 / 3

如果你的评论列表li标签里面有comment_class的输出可以使用此方法来修正此安全问题。
因为这个class输出会暴露诸如管理员或注册用户的用户名,引起不必要的安全问题。

暴露与非暴露效果如下:

6cfb078f-589f-49b2-ab45-7da49d7851b7 97729dea-32fa-4a07-820e-96b058ff40af

以下代码加入到主题的functions.php里面

<span class="token comment" spellcheck="true">
<span class="token keyword">function</span> acgcss<span class="token function">_change_comment_or_body_classes</span><span class="token punctuation">(</span><span class="token variable">$classes</span><span class="token punctuation">,</span> <span class="token variable">$comment_id</span><span class="token punctuation">)</span><span class="token punctuation">{</span>
<span class="token keyword">global</span> <span class="token variable">$wp_query</span><span class="token punctuation">;</span>
<span class="token variable">$comment</span> <span class="token operator">=</span> <span class="token function">get_comment</span><span class="token punctuation">(</span> <span class="token variable">$comment_id</span> <span class="token punctuation">)</span><span class="token punctuation">;</span>	
<span class="token variable">$user</span> <span class="token operator">=</span> <span class="token function">get_userdata</span><span class="token punctuation">(</span> <span class="token variable">$comment</span><span class="token operator">-</span><span class="token operator">></span><span class="token property">user_id</span> <span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token variable">$comment_author</span> <span class="token operator">=</span> <span class="token string">'comment-author-'</span> <span class="token punctuation">.</span> <span class="token function">sanitize_html_class</span><span class="token punctuation">(</span> <span class="token variable">$user</span><span class="token operator">-</span><span class="token operator">></span><span class="token property">user_nicename</span><span class="token punctuation">,</span><span class="token variable">$comment</span><span class="token operator">-</span><span class="token operator">></span><span class="token property">user_id</span> <span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token variable">$author</span> <span class="token operator">=</span> <span class="token variable">$wp_query</span><span class="token operator">-</span><span class="token operator">></span><span class="token function">get_queried_object</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token variable">$archive_author</span> <span class="token operator">=</span> <span class="token string">'author-'</span> <span class="token punctuation">.</span> <span class="token function">sanitize_html_class</span><span class="token punctuation">(</span> <span class="token variable">$author</span><span class="token operator">-</span><span class="token operator">></span><span class="token property">user_nicename</span><span class="token punctuation">,</span><span class="token variable">$author</span><span class="token operator">-</span><span class="token operator">></span><span class="token property">ID</span> <span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">foreach</span><span class="token punctuation">(</span> <span class="token variable">$classes</span> <span class="token keyword">as</span> <span class="token variable">$key</span> <span class="token operator">=</span><span class="token operator">></span> <span class="token variable">$class</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span>
<span class="token keyword">switch</span><span class="token punctuation">(</span> <span class="token variable">$class</span> <span class="token punctuation">)</span> <span class="token punctuation">{</span>
<span class="token keyword">case</span> <span class="token variable">$comment_author</span><span class="token punctuation">:</span>
<span class="token comment" spellcheck="true">// $classes[$key] = 'comment-author-' . sanitize_html_class( $comment->comment_author, $comment->user_id );</span>
<span class="token variable">$classes</span><span class="token punctuation">[</span><span class="token variable">$key</span><span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token string">'comment-author-'</span> <span class="token punctuation">.</span> <span class="token function">sanitize_html_class</span><span class="token punctuation">(</span> <span class="token variable">$comment</span><span class="token operator">-</span><span class="token operator">></span><span class="token property">user_id</span> <span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">break</span><span class="token punctuation">;</span>	
<span class="token keyword">case</span> <span class="token variable">$archive_author</span><span class="token punctuation">:</span>
<span class="token comment" spellcheck="true">// $classes[$key] = 'author-' . sanitize_html_class( get_the_author_meta( 'display_name' ), $author->ID );</span>
<span class="token variable">$classes</span><span class="token punctuation">[</span><span class="token variable">$key</span><span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token string">'author-'</span> <span class="token punctuation">.</span> <span class="token function">sanitize_html_class</span><span class="token punctuation">(</span> <span class="token variable">$author</span><span class="token operator">-</span><span class="token operator">></span><span class="token property">ID</span> <span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">break</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token punctuation">}</span>	

<span class="token keyword">return</span> <span class="token variable">$classes</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token function">add_filter</span><span class="token punctuation">(</span> <span class="token string">'comment_class'</span><span class="token punctuation">,</span> <span class="token string">'acgcss_change_comment_or_body_classes'</span><span class="token punctuation">,</span> <span class="token number">10</span><span class="token punctuation">,</span> <span class="token number">4</span> <span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token function">add_filter</span><span class="token punctuation">(</span> <span class="token string">'body_class'</span><span class="token punctuation">,</span> <span class="token string">'acgcss_change_comment_or_body_classes'</span><span class="token punctuation">,</span> <span class="token number">10</span><span class="token punctuation">,</span> <span class="token number">4</span> <span class="token punctuation">)</span><span class="token punctuation">;</span></span>

注:注释的两行代码为昵称替换,不了解可以不理会。

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注