Comment preview allows anonymous users/bots to easily render syntax

[michitux]

The comment preview ajax requests allows anonymous users to render arbitrary syntax (plugins could be disabled though) regardless of ACLs or if comments are used at all. No security token is needed.

This could be used for DOS attacks by letting the wiki render larger amounts of text as well as for example automatically constructing hash values for external redirects (see also FS#2648) or for caching external images when $conf['fetchsize'] is non-zero. Of course this is also possible in an open wiki, but as blogtng is primarily used in closed wikis with trusted editors I think this is a security issue.

I suggest to
a) add a security token to the ajax request (and check it)
b) add the page id and check if the current user has at least read permissions and if comment posting is actually enabled
c) if there is a captcha used for the normal comment posting, check it during preview, too