Index: modules/comment/comment.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/comment/comment.module,v
retrieving revision 1.520.2.1
diff -u -p -r1.520.2.1 comment.module
--- modules/comment/comment.module	23 Jan 2007 19:11:43 -0000	1.520.2.1
+++ modules/comment/comment.module	25 Jan 2007 08:38:01 -0000
@@ -1582,24 +1582,26 @@ function comment_form_add_preview($form,
 
   $output = '';
 
-  comment_validate($edit);
-  $comment = (object)_comment_form_submit($edit);
-
-  // Attach the user and time information.
-  if ($edit['author']) {
-    $account = user_load(array('name' => $edit['author']));
-  }
-  elseif ($user->uid && !isset($edit['is_anonymous'])) {
-    $account = $user;
-  }
-  if ($account) {
-    $comment->uid = $account->uid;
-    $comment->name = check_plain($account->name);
-  }
-  $comment->timestamp = $edit['timestamp'] ? $edit['timestamp'] : time();
-
-  // Preview the comment with security check.
+  // Invoke full validation for the form, to protect against cross site
+  // request forgeries (CSRF) and setting arbitrary values for fields such as
+  // the input format. Preview the comment only when form validation does not
+  // set any errors.
+  drupal_validate_form($form['form_id']['#value'], $form);
   if (!form_get_errors()) {
+    $comment = (object)_comment_form_submit($edit);
+
+    // Attach the user and time information.
+    if ($edit['author']) {
+      $account = user_load(array('name' => $edit['author']));
+    }
+    elseif ($user->uid && !isset($edit['is_anonymous'])) {
+      $account = $user;
+    }
+    if ($account) {
+      $comment->uid = $account->uid;
+      $comment->name = check_plain($account->name);
+    }
+    $comment->timestamp = $edit['timestamp'] ? $edit['timestamp'] : time();
     $output .= theme('comment_view', $comment);
   }
   $form['comment_preview'] = array(
Index: modules/node/node.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/node/node.module,v
retrieving revision 1.776
diff -u -p -r1.776 node.module
--- modules/node/node.module	14 Jan 2007 02:12:29 -0000	1.776
+++ modules/node/node.module	25 Jan 2007 08:38:03 -0000
@@ -2069,6 +2069,10 @@ function node_form_add_preview($form) {
 
   $op = isset($form_values['op']) ? $form_values['op'] : '';
   if ($op == t('Preview')) {
+    // Invoke full validation for the form, to protect against cross site
+    // request forgeries (CSRF) and setting arbitrary values for fields such as
+    // the input format. Preview the node only when form validation does not
+    // set any errors.
     drupal_validate_form($form['form_id']['#value'], $form);
     if (!form_get_errors()) {
       // Because the node preview may display a form, we must render it