- Backporting comment module validation fixes. Already went into DRUPAL-5.

1 files changed, 19 insertions, 17 deletions

diff --git a/modules/comment/comment.module b/modules/comment/comment.module
index 91b7601fc..d80d0a2e0 100644
--- a/modules/comment/comment.module
+++ b/modules/comment/comment.module
@@ -1589,24 +1589,26 @@ function comment_form_add_preview($form, $edit) {
 
   $output = '';
 
-  comment_validate($edit);
-  $comment = (object)_comment_form_submit($edit);
-
-  // Attach the user and time information.
-  if ($edit['author']) {
-    $account = user_load(array('name' => $edit['author']));
-  }
-  elseif ($user->uid && !isset($edit['is_anonymous'])) {
-    $account = $user;
-  }
-  if ($account) {
-    $comment->uid = $account->uid;
-    $comment->name = check_plain($account->name);
-  }
-  $comment->timestamp = !empty($edit['timestamp']) ? $edit['timestamp'] : time();
-
-  // Preview the comment with security check.
+  // Invoke full validation for the form, to protect against cross site
+  // request forgeries (CSRF) and setting arbitrary values for fields such as
+  // the input format. Preview the comment only when form validation does not
+  // set any errors.
+  drupal_validate_form($form['form_id']['#value'], $form);
   if (!form_get_errors()) {
+    $comment = (object)_comment_form_submit($edit);
+
+    // Attach the user and time information.
+    if ($edit['author']) {
+      $account = user_load(array('name' => $edit['author']));
+    }
+    elseif ($user->uid && !isset($edit['is_anonymous'])) {
+      $account = $user;
+    }
+    if ($account) {
+      $comment->uid = $account->uid;
+      $comment->name = check_plain($account->name);
+    }
+    $comment->timestamp = $edit['timestamp'] ? $edit['timestamp'] : time();
     $output .= theme('comment_view', $comment);
   }
   $form['comment_preview'] = array(