jr conlin's ink stained banana

Ok, this is stupid.

Buried deep in v. 2.3.1's comment handler code (comment.php) is the following:

if ( preg_match_all('/&#(\d+);/', $comment . $author . $url, $chars) ) {
        foreach ( (array) $chars[1] as $char ) {
            // If it's an encoded char in the normal ASCII set, reject
            if ( 38 == $char )
                continue; // Unless it's &
            if ( $char < 128 )
                return true;
        }
    }

Ok, you see that right there? That's stupid. What that does is look for strings like " and when it finds them, it marks the comment as insta-spam. Do not pass go, do not collect $200.

Once again, the comment doesn't go to moderation, it's marked as spam.

This, of course, is designed to catch folks who, i dunno, spell out Viagra in long form (e.g. Viagra). i'm not sure why they feel compelled to do that rather than check the string after running it through html_entity_decode(), but more importantly, if you have something that properly converts double-quotes to " because that's far safer than processing raw " characters in forms, you're not even given the option of seeing what that was. It's off to the spam list for you, bucko.

You CAN fix this horrid little mistake of code by adding the following to an enabled custom plugin:

function isb_comment_content($content)
{
// i have to do this because wp_blacklist_check automatically bitbuckets anything with &#xx;
    return html_entity_decode($content,ENT_QUOTES);
}
add_filter('pre_comment_content','isb_comment_content');

This will allow for normal, controlled blacklist and graylist checking, as well as Akismet or any other normal, rational, configurable check systems you may have in place.

Guess i'll be going through my comments database looking for anyone that inadvertently got marked as spam and i never got the chance to say they weren't!