Grow your CSS skills. Land your dream job.

Last updated on:

Spam Comments with Very Long URL’s

Super long URL's are a sure fire sign the comment is spammy. This will mark comments with URL's (as the author URL, not just in the text) longer than 50 characters as spam, otherwise leave their state the way it is.

<?php

  function rkv_url_spamcheck( $approved , $commentdata ) {
    return ( strlen( $commentdata['comment_author_url'] ) > 50 ) ? 'spam' : $approved;
  }

  add_filter( 'pre_comment_approved', 'rkv_url_spamcheck', 99, 2 );

?>

Reference URL

Comments

  1. Permalink to comment#

    The URL for this page is 74 characters long.

  2. Permalink to comment#

    Oh, only for the author URL – I see.

    I read “not just in the text” as “not only in the text”. My mistake – although I suspect other people might trip over this, too. Perhaps it would be clearer if you mentioned “author URLs” in the headline or the first sentence as well?

  3. Dave
    Permalink to comment#

    I’ve just found out that WordPress seems to accept a working script in a comment. This seems like a big no-no based on other things I’ve read about sanitizing user input before spitting it back out again. I’ll try it here and see if it works on your site too: alert(‘really?!?’).

    If your site it like mine, this page will now alert “really?!?” every time it is refreshed. On the other hand, if you have prevented this from happening, I’d hope to learn an effective approach to doing so on my site.

    If this little script does play here — and probably on millions of other WP sites — I’d sure love to hear your take on the safety of this.

    Thanks,

    Dave

    • Dave
      Permalink to comment#

      I see that your comment form has stripped out the script tags and just left the innocuous string as a part of the message. Very nice.

      I put a question about this on the WordPress.org support forum yesterday, and the response I got was “Try blocking the keywords usually used in scripts such as script, type, javascript, etc. in comment blacklist by going to your discussion settings (dashboard).” This didn’t seem particularly reassuring to me.

      Can you please give me a pointer the best way to tighten up the comments form on my site?

      Thanks again,

      Dave

Leave a Comment

Posting Code

Markdown is supported in the comment area, so you can write inline code in backticks like `this` or multiline blocks of code in in triple backtick fences like ```this```. You don't need to escape code in backticks, Markdown does that for you.

Sadly, it's kind of broken. WordPress only accepts a subset of HTML in comments, which makes sense, because certainly some HTML can't be allowed, like <script> tags. But this stripping happens before the comment is processed by Markdown (via Jetpack). It seems to me that would be reversed, because after Markdown processes code in backticks, it's escaped, thus safe. If you think you can fix this issue, get in touch!

If you need to make sure the code (typically HTML) you post absolutely posts correctly, escape it and put it within <pre><code> tags.

Current ye@r *

*May or may not contain any actual "CSS" or "Tricks".