Verbum: Fix KSES filtering for users without posting caps (#35276)

Automattic · Jan 26, 2024 · c02befb · c02befb
1 parent ccb390e
commit c02befb
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/projects/packages/jetpack-mu-wpcom/changelog/fix-kses-for-blocks b/projects/packages/jetpack-mu-wpcom/changelog/fix-kses-for-blocks
@@ -0,0 +1,4 @@
+Significance: patch
+Type: security
+
+Allow users to post HTML when blocks are enabled
diff --git a/...es/jetpack-mu-wpcom/src/features/verbum-comments/assets/class-verbum-gutenberg-editor.php b/...es/jetpack-mu-wpcom/src/features/verbum-comments/assets/class-verbum-gutenberg-editor.php
@@ -29,11 +29,23 @@ function () {
 			},
 			9999
 		);
+		add_filter( 'init', array( $this, 'remove_strict_kses_filters' ) );
 		add_filter( 'comment_text', array( $this, 'render_verbum_blocks' ) );
 		add_filter( 'pre_comment_content', array( $this, 'remove_blocks' ) );
 		add_filter( 'wp_enqueue_scripts', array( $this, 'enqueue_assets' ) );
 	}
 
+	/**
+	 * Default KSES filters on wpcom only allow HTML for admins and people who can post "posts" to the blog they're commenting on.
+	 * See: wp-includes/kses.php (this one adds the restrictions).
+	 * See: wp-content/mu-plugins/misc.php (this one removes it, but only has_cap('publish_posts')).
+	 */
+	public function remove_strict_kses_filters() {
+		// Allow HTML when blocks are enabled.
+		remove_filter( 'pre_comment_content', 'wp_filter_kses' );
+		add_filter( 'pre_comment_content', 'wp_filter_post_kses' );
+	}
+
 	/**
 	 * Enqueue the assets for the Gutenberg editor
 	 */