From a21e5f64edbee27a6c5c6ff613c0cc7f38a4e074 Mon Sep 17 00:00:00 2001
From: hyzen <hyzen@disroot.org>
Date: Fri, 26 Jun 2026 13:24:24 +0200
Subject: [PATCH] Update: relative post_id

---
 comments.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/comments.php b/comments.php
index f57b8c4..0a7321b 100644
--- a/comments.php
+++ b/comments.php
@@ -273,6 +273,12 @@ if ($action === 'post' || $action === 'reply') {
     if ($post_id === '') {
         json_out(['success' => false, 'message' => 'post_id is required.']);
     }
+    // post_id should always be a site-relative path like "/blog/some-post/".
+    // Reject anything else here, before it can shape outgoing notification
+    // email content or anything else downstream.
+    if (!preg_match('#^/[a-zA-Z0-9_/-]{1,200}/$#', $post_id)) {
+        json_out(['success' => false, 'message' => 'Invalid post_id.']);
+    }
     if ($text === '') {
         json_out(['success' => false, 'message' => 'Comment cannot be empty.']);
     }