Support » Requests and Feedback » _wp_unfiltered_html_comment causes warning in XHTML1.0 Strict

  • I have chosen to use XHTML1.0 Strict on my pages. The use of _xxx as a name attribute causes a warning for this DTD. If you’re a validation nazi like me, this simply won’t do. I see no reason why the beginning underlines can’t be removed. There are two references to _wp_unfiltered_html_comment in the source, for example:

    grep -rn "_wp_unfiltered" *
    wp-comments-post.php:39:		if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) {
    wp-includes/comment-template.php:610:		wp_nonce_field('unfiltered-html-comment_' . $post->ID, '_wp_unfiltered_html_comment', false);

    There may be more things like this, but I have yet to have trouble with them. I have simply removed the leading underscores and pages are validating in the green again.

    Perhaps this simple change can be committed for 2.5.2?

Viewing 11 replies - 1 through 11 (of 11 total)
  • wait, you’re allowing unfiltered comments, and you’re concerned about validation?

    bold tags won’t validate… let alone the shit people will try to put in your comments, so I wouldn’t be too anal about that.

    If I’m misunderstanding you, then how do you explain this? by default, your comments will indeed validate to xhtml 1.0 strict…. so just don’t do whatever it is you’re doing if you want to be a validation nazi.

    No idea whether does this help.

    In your comments.php in your theme folder.

    Find: <?php do_action('comment_form', $post->ID); ?>
    Replace: <p><?php do_action('comment_form', $post->ID); ?></p>

    @ivovic – that wasn’t exactly helpful. If you can’t suggest a solution then i suggest you don’t waste your breath or our time by berating someone who notices a legitimate (albeit minor) issue with the code.

    Is there an option to not allow unfiltered comments?

    @gamerz – Wrapping in a paragraph does remove the validation error which is “<input> ID "_wp_unfiltered_html_comment" uses XML ID syntax

    Yes, I noticed the same thing. I looked to the code and realised that this appears only for me as I’m logged in, but not for anonymous user or general user.

    Anyway it is really annoying to see the validation error for myself.

    Where may be found usage of “_wp_unfiltered_html_comment”:
    1. wp-includes/comment-template.php
    line #610: wp_nonce_field('unfiltered-html-comment_' . $post->ID, '_wp_unfiltered_html_comment', false);

    2. wp-comments-post.php
    line #39: if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) {

    in general just here, but some themes as well, for example popular k2 theme:

    3. wp-content\themes\k2\comments-ajax.php
    line #78: if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) {

    what I would suggest and did myself is:
    I altered function wp_comment_corm_unfiltered_html_nonce() at wp-includes/comment-template.php

    commented line:

    wp_nonce_field('unfiltered-html-comment_' . $post->ID, '_wp_unfiltered_html_comment', false);

    and added this line bellow:

    echo '<input type="hidden" id="wp_unfiltered_html_comment" name="_wp_unfiltered_html_comment" value="' . wp_create_nonce( 'unfiltered-html-comment_' . $post->ID ) . '" />';

    Thats it. (correct me if I’m wrong)

    Researching it, I noticed that wp funtion wp_nonce_field( $action = -1, $name = "_wpnonce", $referer = true , $echo = true ) has default value "_wpnonce" that is incorect as well (as it is used for ID value as well).

    that is at
    line #979: function wp_nonce_field( $action = -1, $name = "_wpnonce", $referer = true , $echo = true ) {

    After launching my new website, I think I get what you mean.

    There’s no real reason for it having to retain the underscore, which is the only thing breaking validation that users can’t fix themselves in their themes. Has anyone submitted this as a bug yet?

    There should probably also be an option that allows administrators to stop registered users from being able to post unfiltered HTML, which is what this tag seems to do.

    FYI, Putting a <fieldset> in your form allows you to have ‘free-roaming’ <input> tags rather than needing to wrap them all in <p> tags. Just be sure to turn the <input> tags into blocks via CSS (display: block;), otherwise they’ll be inline elements. Same for your <label> tags.

    The problems still there (WP 2.6.2).
    Is it “dangerous” to modify in wp-includes/comment-template.php the
    wp_nonce_field('unfiltered-html-comment_' . $post->ID, '_wp_unfiltered_html_comment', false);


    wp_nonce_field('unfiltered-html-comment_' . $post->ID, 'wp_unfiltered_html_comment', false);

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    The underscore character is valid as a starting character in an XHTML id field, any version. The validator is *wrong*.

    The XHTML 1.0 spec defines the id attribute as being of type “ID” here:

    It defines the “ID” type as having to match the “Name” definition here:

    And it defines the “Name” definition here:

    And this is the rule:
    Name ::= (Letter | '_' | ':') (NameChar)*

    Note that “Name” can start with a letter, an underscore, or a colon.

    So, the validator is wrong. Complain to them.

    ID and NAME tokens must begin with a letter ([A-Za-z]) and may be followed by any number of letters, digits ([0-9]), hyphens (“-“), underscores (“_”), colons (“:”), and periods (“.”).

    Any news on this topic?
    It’s really annoying to see this warning in your 100% valid template )

    And, by the way, what is unfiltered comment? Is it one that contains HTML tags etc.? If so, how do I disallow everything but plain text in commments? I haven’t found such option in settings.


    Are there any plans to fix this error?

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘_wp_unfiltered_html_comment causes warning in XHTML1.0 Strict’ is closed to new replies.