Tweaking WordPress to accept PGP-signed comments nicely
Because I’ll have forgotten by the next time I need to know, here’s what I hope is a complete list of how to tweak WordPress to store comments exactly as they are submitted, and only clean them up for display, so you can accept PGP-signed comments without mangling them:
- Install the OpenPGPComment plugin.
- If I haven’t reported the bugs and gotten them fixed yet:
- In
signature-popup.php
, find the line left over from the original that saysadd_filter('comment_text', 'popuplinks');
and delete it - At the bottom, below
remove_filter('comment_text', 'wp_filter_kses');
add anotherremove_filter('comment_text', 'wp_filter_kses', 8);
to get rid of the one you’re about to add.
- In
- In
openpgpcomment.php
, after editing the site URL (which it really ought to be getting from WP’s options), find the part wherethe comment text is put into a textarea so HTML doesn’t get parsed,
and add ahtmlspecialchars()
around$comment_text
so that character entity references in the original get parsed back to their original state by the textarea, not actually replaced by characters. - Make yourself a plugin to reorder operations, taking out all the default
pre_comment_content
filters, and thecomment_save_pre
call tobalanceTags
, and adding back the usefulwp_filter_kses
andbalanceTags
as filters oncomment_text
at the time of display, rather than before saving. Pray that’s not too slow (doesn’t seem to be even a detectable difference with 50-75 comments). - Because
confirmdeletecomment
, where you go from the comment notification email or the delete button on the “edit a comment” page, is overconfident about how safe it is to render HTML from a raw comment out of the database, add anotherhtmlspecialchars()
around where$commentdata["comment_content"]
is inserted in the page (unless I’ve successfully reported that as a bug, too: that’s a lot of faith in kses’s invulnerability). - Cross your fingers, and invite your PGP-signing commenters to do their worst with signed broken HTML and difficult to get right characters and entity references. Though possibly somewhere temporary like http://dev.philringnalda.com/wp152comm/ where comment feed subscribers don’t have to follow along.
For the “I know it’s not right yet” list:
- Anything outside the signature isn’t displayed in the regular stripped view, only in the verification textarea. Nice as that is for passing secret messages, when someone pastes something signed into a comment, that winds up being the only part of their comment that’s displayed.
Update: One more fix, in openpgpcomments.php
:
Add $doing_rss
to the list of global
s in function openpgpcomment
, and then before the line that strips the signature and adds the verification link, add $verify_popup = ($doing_rss) ? "" : ' onclick="window.open(this.href, \'comments\', \'width=600,height=450,scrollbars=yes,status=no\'); return false"';
, and replace the onclick
… with $verify_popup
, so that the validator doesn’t have to chide you about using onclick
in your comment feeds.
[…] OpenPGPComment e Tweaking WordPress to accept PGP-signed comments nicely; […]
OpenPGPComment 1.2
Angeregt durch einen TrackBack von Phil Ringnalda, der in seinem Weblog ein paar Korrekturvorschläge und Verbesserungen aufgelistet hat, habe ich diese Änderungen eingearbeitet und mein WordPress-Plugin OpenPGPComment auf Version 1.2 gelupft.
…