- Backporting comment module validation fixes. Already went into DRUPAL-5.

b95f496b · Dries · 6ee8563e · b95f496b · b95f496b
Commit b95f496b authored Mar 01, 2007 by Dries
--- a/modules/comment/comment.module
+++ b/modules/comment/comment.module
@@ -1589,24 +1589,26 @@ function comment_form_add_preview($form, $edit) {

  $output = '';

-  comment_validate($edit);
-  $comment = (object)_comment_form_submit($edit);
-
-  // Attach the user and time information.
-  if ($edit['author']) {
-    $account = user_load(array('name' => $edit['author']));
-  }
-  elseif ($user->uid && !isset($edit['is_anonymous'])) {
-    $account = $user;
-  }
-  if ($account) {
-    $comment->uid = $account->uid;
-    $comment->name = check_plain($account->name);
-  }
-  $comment->timestamp = !empty($edit['timestamp']) ? $edit['timestamp'] : time();
-
-  // Preview the comment with security check.
+  // Invoke full validation for the form, to protect against cross site
+  // request forgeries (CSRF) and setting arbitrary values for fields such as
+  // the input format. Preview the comment only when form validation does not
+  // set any errors.
+  drupal_validate_form($form['form_id']['#value'], $form);
  if (!form_get_errors()) {
+    $comment = (object)_comment_form_submit($edit);
+
+    // Attach the user and time information.
+    if ($edit['author']) {
+      $account = user_load(array('name' => $edit['author']));
+    }
+    elseif ($user->uid && !isset($edit['is_anonymous'])) {
+      $account = $user;
+    }
+    if ($account) {
+      $comment->uid = $account->uid;
+      $comment->name = check_plain($account->name);
+    }
+    $comment->timestamp = $edit['timestamp'] ? $edit['timestamp'] : time();
    $output .= theme('comment_view', $comment);
  }
  $form['comment_preview'] = array(

--- a/modules/node/node.module
+++ b/modules/node/node.module
@@ -2027,6 +2027,10 @@ function node_form_add_preview($form) {

  $op = isset($form_values['op']) ? $form_values['op'] : '';
  if ($op == t('Preview')) {
+    // Invoke full validation for the form, to protect against cross site
+    // request forgeries (CSRF) and setting arbitrary values for fields such as
+    // the input format. Preview the node only when form validation does not
+    // set any errors.
    drupal_validate_form($form['form_id']['#value'], $form);
    if (!form_get_errors()) {
      // Because the node preview may display a form, we must render it