From 9943423a1ff3897ed1b9e04d6916aedb8d430255 Mon Sep 17 00:00:00 2001
From: Faris Ansari <netchamp.faris@gmail.com>
Date: Wed, 6 Apr 2022 16:10:14 +0530
Subject: [PATCH 1/3] fix: strip html from blog comments to prevent spam

---
 frappe/templates/includes/comments/comment.html | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/frappe/templates/includes/comments/comment.html b/frappe/templates/includes/comments/comment.html
index e0fc1c3c54..5be36d65a9 100644
--- a/frappe/templates/includes/comments/comment.html
+++ b/frappe/templates/includes/comments/comment.html
@@ -1,13 +1,17 @@
 {% from "frappe/templates/includes/avatar_macro.html" import avatar %}
 
-<div class="comment-row media my-5">
+<div class="my-5 comment-row media">
 	<div class="comment-avatar">
-		{{  avatar(user_id=(comment.comment_email or comment.sender), size='avatar-medium') }}
+		{{  avatar(user_id=(frappe.utils.strip_html(comment.comment_email or comment.sender)), size='avatar-medium') }}
 	</div>
 	<div class="comment-content">
-		<div class="head mb-2">
-			<span class="title font-weight-bold mr-2">{{ comment.sender_full_name or comment.comment_by }}</span>
-			<span class="time small text-muted">{{ frappe.utils.pretty_date(comment.creation) }}</span>
+		<div class="mb-2 head">
+			<span class="mr-2 title font-weight-bold">
+				{{ frappe.utils.strip_html(comment.sender_full_name or comment.comment_by) | e }}
+			</span>
+			<span class="time small text-muted">
+				{{ frappe.utils.pretty_date(comment.creation) }}
+			</span>
 		</div>
 		<div class="content">{{ comment.content | markdown }}</div>
 	</div>

From e13c74b53ffba6be8989e2f52d1875c46c87717e Mon Sep 17 00:00:00 2001
From: Faris Ansari <netchamp.faris@gmail.com>
Date: Wed, 6 Apr 2022 16:28:57 +0530
Subject: [PATCH 2/3] fix: strip html from comment content

---
 frappe/templates/includes/comments/comment.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frappe/templates/includes/comments/comment.html b/frappe/templates/includes/comments/comment.html
index 5be36d65a9..4713ee498d 100644
--- a/frappe/templates/includes/comments/comment.html
+++ b/frappe/templates/includes/comments/comment.html
@@ -13,6 +13,6 @@
 				{{ frappe.utils.pretty_date(comment.creation) }}
 			</span>
 		</div>
-		<div class="content">{{ comment.content | markdown }}</div>
+		<div class="content">{{ frappe.utils.strip_html(comment.content) | markdown }}</div>
 	</div>
 </div>
\ No newline at end of file

From ae335f5e1c96ac8febb7a42ac6c19b6ae3393a70 Mon Sep 17 00:00:00 2001
From: Faris Ansari <netchamp.faris@gmail.com>
Date: Wed, 6 Apr 2022 16:29:22 +0530
Subject: [PATCH 3/3] test: spam links shouldn't render on blog post

---
 .../doctype/blog_post/test_blog_post.py       | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/frappe/website/doctype/blog_post/test_blog_post.py b/frappe/website/doctype/blog_post/test_blog_post.py
index d649d25f7e..575b6c0fc0 100644
--- a/frappe/website/doctype/blog_post/test_blog_post.py
+++ b/frappe/website/doctype/blog_post/test_blog_post.py
@@ -117,6 +117,34 @@ class TestBlogPost(unittest.TestCase):
 
 		frappe.flags.force_website_cache = True
 
+	def test_spam_comments(self):
+		# Make a temporary Blog Post (and a Blog Category)
+		blog = make_test_blog('Test Spam Comment')
+
+		# Create a spam comment
+		frappe.get_doc(
+			doctype="Comment",
+			comment_type="Comment",
+			reference_doctype="Blog Post",
+			reference_name=blog.name,
+			comment_email="<a href=\"https://example.com/spam/\">spam</a>",
+			comment_by="<a href=\"https://example.com/spam/\">spam</a>",
+			published=1,
+			content="More spam content. <a href=\"https://example.com/spam/\">spam</a> with link.",
+		).insert()
+
+		# Visit the blog post page
+		set_request(path=blog.route)
+		blog_page_response = get_response()
+		blog_page_html = frappe.safe_decode(blog_page_response.get_data())
+
+		self.assertNotIn('<a href="https://example.com/spam/">spam</a>', blog_page_html)
+		self.assertIn("More spam content. spam with link.", blog_page_html)
+
+		# Cleanup
+		frappe.delete_doc("Blog Post", blog.name)
+		frappe.delete_doc("Blog Category", blog.blog_category)
+
 def scrub(text):
 	return WebsiteGenerator.scrub(None, text)