- Backporting comment module validation fixes. Already went into DRUPAL-5.

modules/comment/comment.module

@@ -1589,7 +1589,12 @@ function comment_form_add_preview($form, $edit) {
 
   $output = '';
 
-  comment_validate($edit);
+  // Invoke full validation for the form, to protect against cross site
+  // request forgeries (CSRF) and setting arbitrary values for fields such as
+  // the input format. Preview the comment only when form validation does not
+  // set any errors.
+  drupal_validate_form($form['form_id']['#value'], $form);
+  if (!form_get_errors()) {
     $comment = (object)_comment_form_submit($edit);
 
     // Attach the user and time information.
@@ -1603,10 +1608,7 @@ function comment_form_add_preview($form, $edit) {
       $comment->uid = $account->uid;
       $comment->name = check_plain($account->name);
     }
-  $comment->timestamp = !empty($edit['timestamp']) ? $edit['timestamp'] : time();
+    $comment->timestamp = $edit['timestamp'] ? $edit['timestamp'] : time();
-
-  // Preview the comment with security check.
-  if (!form_get_errors()) {
     $output .= theme('comment_view', $comment);
   }
   $form['comment_preview'] = array(

modules/node/node.module

@@ -2027,6 +2027,10 @@ function node_form_add_preview($form) {
 
   $op = isset($form_values['op']) ? $form_values['op'] : '';
   if ($op == t('Preview')) {
+    // Invoke full validation for the form, to protect against cross site
+    // request forgeries (CSRF) and setting arbitrary values for fields such as
+    // the input format. Preview the node only when form validation does not
+    // set any errors.
     drupal_validate_form($form['form_id']['#value'], $form);
     if (!form_get_errors()) {
       // Because the node preview may display a form, we must render it