Commit b95f496b authored by Dries's avatar Dries

- Backporting comment module validation fixes. Already went into DRUPAL-5.

parent 6ee8563e
......@@ -1589,24 +1589,26 @@ function comment_form_add_preview($form, $edit) {
$output = '';
comment_validate($edit);
$comment = (object)_comment_form_submit($edit);
// Attach the user and time information.
if ($edit['author']) {
$account = user_load(array('name' => $edit['author']));
}
elseif ($user->uid && !isset($edit['is_anonymous'])) {
$account = $user;
}
if ($account) {
$comment->uid = $account->uid;
$comment->name = check_plain($account->name);
}
$comment->timestamp = !empty($edit['timestamp']) ? $edit['timestamp'] : time();
// Preview the comment with security check.
// Invoke full validation for the form, to protect against cross site
// request forgeries (CSRF) and setting arbitrary values for fields such as
// the input format. Preview the comment only when form validation does not
// set any errors.
drupal_validate_form($form['form_id']['#value'], $form);
if (!form_get_errors()) {
$comment = (object)_comment_form_submit($edit);
// Attach the user and time information.
if ($edit['author']) {
$account = user_load(array('name' => $edit['author']));
}
elseif ($user->uid && !isset($edit['is_anonymous'])) {
$account = $user;
}
if ($account) {
$comment->uid = $account->uid;
$comment->name = check_plain($account->name);
}
$comment->timestamp = $edit['timestamp'] ? $edit['timestamp'] : time();
$output .= theme('comment_view', $comment);
}
$form['comment_preview'] = array(
......
......@@ -2027,6 +2027,10 @@ function node_form_add_preview($form) {
$op = isset($form_values['op']) ? $form_values['op'] : '';
if ($op == t('Preview')) {
// Invoke full validation for the form, to protect against cross site
// request forgeries (CSRF) and setting arbitrary values for fields such as
// the input format. Preview the node only when form validation does not
// set any errors.
drupal_validate_form($form['form_id']['#value'], $form);
if (!form_get_errors()) {
// Because the node preview may display a form, we must render it
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment