Because I’ll have forgotten by the next time I need to know, here’s what I hope is a complete list of how to tweak WordPress to store comments exactly as they are submitted, and only clean them up for display, so you can accept PGP-signed comments without mangling them:
- Install the OpenPGPComment plugin.
- If I haven’t reported the bugs and gotten them fixed yet:
signature-popup.php, find the line left over from the original that says
add_filter('comment_text', 'popuplinks');and delete it
- At the bottom, below
remove_filter('comment_text', 'wp_filter_kses');add another
remove_filter('comment_text', 'wp_filter_kses', 8);to get rid of the one you’re about to add.
openpgpcomment.php, after editing the site URL (which it really ought to be getting from WP’s options), find the part where
the comment text is put into a textarea so HTML doesn’t get parsed,and add a
$comment_textso that character entity references in the original get parsed back to their original state by the textarea, not actually replaced by characters.
- Make yourself a plugin to reorder operations, taking out all the default
pre_comment_contentfilters, and the
balanceTags, and adding back the useful
balanceTagsas filters on
comment_textat the time of display, rather than before saving. Pray that’s not too slow (doesn’t seem to be even a detectable difference with 50-75 comments).
confirmdeletecomment, where you go from the comment notification email or the delete button on the “edit a comment” page, is overconfident about how safe it is to render HTML from a raw comment out of the database, add another
$commentdata["comment_content"]is inserted in the page (unless I’ve successfully reported that as a bug, too: that’s a lot of faith in kses’s invulnerability).
- Cross your fingers, and invite your PGP-signing commenters to do their worst with signed broken HTML and difficult to get right characters and entity references. Though possibly somewhere temporary like http://dev.philringnalda.com/wp152comm/ where comment feed subscribers don’t have to follow along.
For the “I know it’s not right yet” list:
- Anything outside the signature isn’t displayed in the regular stripped view, only in the verification textarea. Nice as that is for passing secret messages, when someone pastes something signed into a comment, that winds up being the only part of their comment that’s displayed.
Update: One more fix, in
$doing_rss to the list of
function openpgpcomment, and then before the line that strips the signature and adds the verification link, add
$verify_popup = ($doing_rss) ? "" : ' onclick="window.open(this.href, \'comments\', \'width=600,height=450,scrollbars=yes,status=no\'); return false"';, and replace the
$verify_popup, so that the validator doesn’t have to chide you about using
onclick in your comment feeds.