almirage/gist:6378921

## gistfile1.diff
diff -u wp-includes/comment-template.php.org wp-includes/comment-template.php
@@ -1168,6 +1168,7 @@
   $replytoid = isset($_GET['replytocom']) ? (int) $_GET['replytocom'] : 0;
 	$result  = "<input type='hidden' name='comment_post_ID' value='$id' id='comment_post_ID' />\n";
 	$result .= "<input type='hidden' name='comment_parent' id='comment_parent' value='$replytoid' />\n";
+	$result .= "<script type='text/javascript'>document.write('<');document.write('input type=\"hidden\" name=\"comment_token\" value=\"ok\" />');</script>\n";
 	return apply_filters('comment_id_fields', $result, $id, $replytoid);
 }

diff -u wp-comments-post.php.org wp-comments-post.php
@@ -25,6 +25,10 @@
 	do_action('comment_id_not_found', $comment_post_ID);
 	exit;
 }
+if (empty($_POST["comment_token"])) {
+	do_action('illegal post', $comment_post_ID);
+	exit;
+}

 // get_post_status() will get the parent status for attachments.
 $status = get_post_status($post);
	diff -u wp-includes/comment-template.php.org wp-includes/comment-template.php
	@@ -1168,6 +1168,7 @@
	$replytoid = isset($_GET['replytocom']) ? (int) $_GET['replytocom'] : 0;
	$result = "<input type='hidden' name='comment_post_ID' value='$id' id='comment_post_ID' />\n";
	$result .= "<input type='hidden' name='comment_parent' id='comment_parent' value='$replytoid' />\n";
	+ $result .= "<script type='text/javascript'>document.write('<');document.write('input type=\"hidden\" name=\"comment_token\" value=\"ok\" />');</script>\n";
	return apply_filters('comment_id_fields', $result, $id, $replytoid);
	}

	diff -u wp-comments-post.php.org wp-comments-post.php
	@@ -25,6 +25,10 @@
	do_action('comment_id_not_found', $comment_post_ID);
	exit;
	}
	+if (empty($_POST["comment_token"])) {
	+ do_action('illegal post', $comment_post_ID);
	+ exit;
	+}

	// get_post_status() will get the parent status for attachments.
	$status = get_post_status($post);