Comments: Fix apostrophe in author name breaking comment_whitelist check

Sukhendu2002 · Sukhendu2002 · commit 5f6c43ab7a29 · 2026-04-16T12:02:14.000+05:30
diff --git a/src/wp-includes/comment.php b/src/wp-includes/comment.php
@@ -141,7 +141,6 @@ function check_comment( $author, $email, $url, $comment, $user_ip, $user_agent,
 					)
 				);
 			} else {
-				// expected_slashed ($author, $email)
 				$ok_to_comment = $wpdb->get_var(
 					$wpdb->prepare(
 						"SELECT comment_approved
@@ -150,8 +149,8 @@ function check_comment( $author, $email, $url, $comment, $user_ip, $user_agent,
 						AND comment_author_email = %s
 						AND comment_approved = '1'
 						LIMIT 1",
-						$author,
-						$email
+						wp_unslash( $author ),
+						wp_unslash( $email )
 					)
 				);
 			}
diff --git a/tests/phpunit/tests/comment/wpAllowComment.php b/tests/phpunit/tests/comment/wpAllowComment.php
@@ -52,6 +52,55 @@ public function test_allow_comment_if_comment_author_emails_differ() {
 		$this->assertSame( 1, $result );
 	}
 
+	/**
+	 * @ticket 40319
+	 * @covers ::check_comment
+	 */
+	public function test_allow_comment_if_previously_approved_author_name_and_email_contain_apostrophe() {
+		update_option( 'comment_previously_approved', 1 );
+		add_filter( 'comment_flood_filter', '__return_false' );
+
+		$now = time();
+
+		// Insert an already-approved comment with apostrophe in name and email.
+		$approved_comment_id = wp_insert_comment(
+			array(
+				'comment_post_ID'      => self::$post_id,
+				'comment_approved'     => '1',
+				'comment_author'       => "O'Brien",
+				'comment_author_email' => "o'brien@example.com",
+				'comment_author_url'   => 'http://example.com',
+				'comment_content'      => 'Test comment.',
+				'comment_parent'       => 0,
+				'comment_author_IP'    => '192.168.0.1',
+				'comment_date_gmt'     => gmdate( 'Y-m-d H:i:s', $now - 60 ),
+				'comment_agent'        => 'TestAgent/1.0',
+				'comment_type'         => '',
+			)
+		);
+
+		$new_comment = array(
+			'comment_post_ID'      => self::$post_id,
+			'comment_author'       => wp_slash( "O'Brien" ),
+			'comment_author_email' => wp_slash( "o'brien@example.com" ),
+			'comment_author_url'   => 'http://example.com',
+			'comment_content'      => 'A new comment.',
+			'comment_parent'       => 0,
+			'comment_author_IP'    => '192.168.0.1',
+			'comment_date_gmt'     => gmdate( 'Y-m-d H:i:s', $now ),
+			'comment_agent'        => 'TestAgent/1.0',
+			'comment_type'         => '',
+		);
+
+		$result = wp_allow_comment( $new_comment );
+
+		wp_delete_comment( $approved_comment_id, true );
+		update_option( 'comment_previously_approved', 0 );
+		remove_filter( 'comment_flood_filter', '__return_false' );
+
+		$this->assertSame( 1, $result, 'Comment from previously-approved author with apostrophe in name/email should be auto-approved.' );
+	}
+
 	public function test_die_as_duplicate_if_comment_author_name_and_emails_match() {
 		$this->expectException( 'WPDieException' );
 

Original file line number	Diff line number	Diff line change
`@@ -141,7 +141,6 @@ function check_comment( $author, $email, $url, $comment, $user_ip, $user_agent,`
`141`	`141`	`)`
`142`	`142`	`);`
`143`	`143`	`} else {`
`144`		`- // expected_slashed ($author, $email)`
`145`	`144`	`$ok_to_comment = $wpdb->get_var(`
`146`	`145`	`$wpdb->prepare(`
`147`	`146`	`"SELECT comment_approved`
`@@ -150,8 +149,8 @@ function check_comment( $author, $email, $url, $comment, $user_ip, $user_agent,`
`150`	`149`	`AND comment_author_email = %s`
`151`	`150`	`AND comment_approved = '1'`
`152`	`151`	`LIMIT 1",`
`153`		`- $author,`
`154`		`- $email`
	`152`	`+ wp_unslash( $author ),`
	`153`	`+ wp_unslash( $email )`
`155`	`154`	`)`
`156`	`155`	`);`
`157`	`156`	`}`