Beanz/flatpress
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Comments' URL and email is now checked with filter_var() function. This makes the checks much more generic and, by the way, allows HTTPS URLs. (Which was reported by RT Cunnigham, see http://flatpress.org/home/comments.php?entry=entry181114-131213#comment181212-200956 - thanks!)

Browse Source 
Also: Standard theme Leggero has rel="nofollow" for comments' URLs in order to make comment spam more useless.
This commit is contained in:
azett 2019-01-05 13:03:29 +01:00
parent 9c0dea07a3
commit c4ce531850
2 changed files with 236 additions and 290 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
comments.php
View File

@ -1,5 +1,4 @@
<?php <?php
if (!defined('MOD_INDEX')) { if (!defined('MOD_INDEX')) {
include 'defaults.php'; include 'defaults.php';
include INCLUDES_DIR . 'includes.php'; include INCLUDES_DIR . 'includes.php';
@ -12,17 +11,13 @@
@utils_status_header(301); @utils_status_header(301);
@utils_redirect(str_replace('&amp;', '&', get_comments_link($_GET ['entry'])), true); @utils_redirect(str_replace('&amp;', '&', get_comments_link($_GET ['entry'])), true);
} }
} }
$module = comment_main($module); $module = comment_main($module);
function comment_main($module) { function comment_main($module) {
global $fpdb, $fp_params; global $fpdb, $fp_params;
// hackish solution to get title before fullparse starts dunno, I don't like it // hackish solution to get title before fullparse starts dunno, I don't like it
$q = & $fpdb->getQuery(); $q = & $fpdb->getQuery();
@ -31,7 +26,6 @@
if (!$entry) if (!$entry)
return $module; return $module;
if (!empty($fp_params ['feed'])) { if (!empty($fp_params ['feed'])) {
switch ($fp_params ['feed']) { switch ($fp_params ['feed']) {
@ -45,25 +39,18 @@
header('Content-type: application/rss+xml'); header('Content-type: application/rss+xml');
$module = SHARED_TPLS . 'comment-rss.tpl'; $module = SHARED_TPLS . 'comment-rss.tpl';
} }
} elseif (!in_array('commslock', $entry ['categories'])) { } elseif (!in_array('commslock', $entry ['categories'])) {
commentform(); commentform();
} }
return $module; return $module;
} }
function comment_feed() { function comment_feed() {
global $fp_params; global $fp_params;
echo "\n<link rel=\"alternate\" type=\"application/rss+xml\" title=\"Get Comments RSS 2.0 Feed\" href=\"". echo "\n<link rel=\"alternate\" type=\"application/rss+xml\" title=\"Get Comments RSS 2.0 Feed\" href=\"" . theme_comments_feed_link('rss2', $fp_params ['entry']) . "\" />";
theme_comments_feed_link('rss2', $fp_params['entry']) echo "\n<link rel=\"alternate\" type=\"application/atom+xml\" title=\"Get Comments Atom 1.0 Feed\" href=\"" . theme_comments_feed_link('atom', $fp_params ['entry']) . "\" />\n";
."\" />";
echo "\n<link rel=\"alternate\" type=\"application/atom+xml\" title=\"Get Comments Atom 1.0 Feed\" href=\"".
theme_comments_feed_link('atom', $fp_params['entry'])
."\" />\n";
} }
add_action('wp_head', 'comment_feed'); add_action('wp_head', 'comment_feed');
@ -73,26 +60,27 @@
list ($id, $e) = @$q->peekEntry(); list ($id, $e) = @$q->peekEntry();
if ($e) if ($e)
return "{$e['subject']} : {$lang['main']['comments']} {$sep} $val "; return "{$e['subject']} : {$lang['main']['comments']} {$sep} $val ";
else return $val; else
return $val;
} }
remove_filter('wp_title', 'index_permatitle'); remove_filter('wp_title', 'index_permatitle');
add_filter('wp_title', 'comment_pagetitle', 10, 2); add_filter('wp_title', 'comment_pagetitle', 10, 2);
function comment_validate() { function comment_validate() {
global $smarty, $lang; global $smarty, $lang;
$lerr = & $lang ['comments'] ['error']; $lerr = & $lang ['comments'] ['error'];
$r = true; $r = true;
/* $lang['comments']['error'] = array( /*
'name' => 'You must enter a name', * $lang['comments']['error'] = array(
'email' => 'You must enter a valid email', * 'name' => 'You must enter a name',
'www' => 'You must enter a valid URL', * 'email' => 'You must enter a valid email',
'comment' => 'You must enter a comment', * 'www' => 'You must enter a valid URL',
);*/ * 'comment' => 'You must enter a comment',
* );
*/
$content = isset($_POST ['content']) ? trim(stripslashes($_POST ['content'])) : null; $content = isset($_POST ['content']) ? trim(stripslashes($_POST ['content'])) : null;
@ -107,7 +95,6 @@
$url = $user ['www']; $url = $user ['www'];
$name = $user ['userid']; $name = $user ['userid'];
} else { } else {
$name = trim(htmlspecialchars(@$_POST ['name'])); $name = trim(htmlspecialchars(@$_POST ['name']));
$email = isset($_POST ['email']) ? trim(htmlspecialchars($_POST ['email'])) : null; $email = isset($_POST ['email']) ? trim(htmlspecialchars($_POST ['email'])) : null;
$url = isset($_POST ['url']) ? trim(stripslashes(htmlspecialchars($_POST ['url']))) : null; $url = isset($_POST ['url']) ? trim(stripslashes(htmlspecialchars($_POST ['url']))) : null;
@ -121,20 +108,15 @@
$errors ['name'] = $lerr ['name']; $errors ['name'] = $lerr ['name'];
} }
/* /*
* check email * check email
* *
*/ */
if ($email) { if ($email) {
$_is_valid = !(preg_match('!@.*@|\.\.|\,|\;!', $email) || if (!filter_var($url, FILTER_VALIDATE_EMAIL)) {
!preg_match('!^.+\@(\[?)[a-zA-Z0-9\.\-]+\.([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)$!', $email));
if (!$_is_valid) {
$errors ['email'] = $lerr ['email']; $errors ['email'] = $lerr ['email'];
} }
} }
/* /*
@ -143,20 +125,16 @@
*/ */
if ($url) { if ($url) {
if (!preg_match('!^http(s)?://[\w-]+\.[\w-]+(\S+)?$!i', $url)) { if (!filter_var($url, FILTER_VALIDATE_URL)) {
// || preg_match('!^http(s)?://localhost!', $value);
$errors ['url'] = $lerr ['www']; $errors ['url'] = $lerr ['www'];
} }
} }
} }
if (!$content) { if (!$content) {
$errors ['content'] = $lerr ['comment']; $errors ['content'] = $lerr ['comment'];
} }
if ($errors) { if ($errors) {
$smarty->assign('error', $errors); $smarty->assign('error', $errors);
return false; return false;
@ -165,27 +143,18 @@
$arr ['version'] = system_ver(); $arr ['version'] = system_ver();
$arr ['name'] = $name; $arr ['name'] = $name;
if (!$loggedin) if (!$loggedin)
setcookie('comment_author_' . COOKIEHASH, setcookie('comment_author_' . COOKIEHASH, $arr ['name'], time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
$arr['name'], time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
if ($email) { if ($email) {
($arr ['email'] = $email); ($arr ['email'] = $email);
if (!$loggedin) if (!$loggedin)
setcookie('comment_author_email_' . COOKIEHASH, setcookie('comment_author_email_' . COOKIEHASH, $arr ['email'], time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
$arr['email'], time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
} }
if ($url) { if ($url) {
($arr ['url'] = ($url)); ($arr ['url'] = ($url));
if (!$loggedin) if (!$loggedin)
setcookie('comment_author_url_' . COOKIEHASH, setcookie('comment_author_url_' . COOKIEHASH, $arr ['url'], time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
$arr['url'], time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
} }
$arr ['content'] = $content; $arr ['content'] = $content;
@ -195,28 +164,24 @@
if ($loggedin || apply_filters('comment_validate', true, $arr)) if ($loggedin || apply_filters('comment_validate', true, $arr))
return $arr; return $arr;
else return false; else
return false;
} }
function commentform() { function commentform() {
global $smarty, $lang, $fpdb, $fp_params; global $smarty, $lang, $fpdb, $fp_params;
$comment_formid = 'fp-comments'; $comment_formid = 'fp-comments';
$smarty->assign('comment_formid', $comment_formid); $smarty->assign('comment_formid', $comment_formid);
if (!empty($_POST)) { if (!empty($_POST)) {
# utils_nocache_headers(); // utils_nocache_headers();
// add http to url // add http to url if not given
if (!empty($_POST['url']) && strpos($_POST['url'], 'http://')===false) if (!empty($_POST ['url']) && strpos($_POST ['url'], 'http://') === false && strpos($_POST ['url'], 'https://') === false)
$_POST ['url'] = 'http://' . $_POST ['url']; $_POST ['url'] = 'http://' . $_POST ['url'];
// custom hook here!! // custom hook here!!
if ($arr = comment_validate()) { if ($arr = comment_validate()) {
@ -224,12 +189,17 @@
$id = comment_save($fp_params ['entry'], $arr); $id = comment_save($fp_params ['entry'], $arr);
do_action('comment_post', $fp_params['entry'], array($id, $arr)); do_action('comment_post', $fp_params ['entry'], array(
$id,
$arr
));
$q = new FPDB_Query(array('id'=>$fp_params['entry'],'fullparse'=>false), null); $q = new FPDB_Query(array(
'id' => $fp_params ['entry'],
'fullparse' => false
), null);
list ($entryid, $e) = $q->getEntry(); list ($entryid, $e) = $q->getEntry();
if ($fp_config ['general'] ['notify'] && !user_loggedin()) { if ($fp_config ['general'] ['notify'] && !user_loggedin()) {
global $post; global $post;
@ -241,8 +211,7 @@
$lang = lang_load('comments'); $lang = lang_load('comments');
$mail = str_replace( $mail = str_replace(array(
array(
'%toname%', '%toname%',
'%fromname%', '%fromname%',
'%frommail%', '%frommail%',
@ -250,9 +219,7 @@
'%commentlink%', '%commentlink%',
'%content%', '%content%',
'%blogtitle%' '%blogtitle%'
), ), array(
array(
$fp_config ['general'] ['author'], $fp_config ['general'] ['author'],
$arr ['name'], $arr ['name'],
$comm_mail, $comm_mail,
@ -260,48 +227,27 @@
get_comments_link($entryid) . '#' . $id, get_comments_link($entryid) . '#' . $id,
$arr ['content'], $arr ['content'],
$fp_config ['general'] ['title'] $fp_config ['general'] ['title']
), ), $lang ['comments'] ['mail']);
$lang['comments']['mail']
);
@utils_mail($from_mail, "New comment on {$fp_config['general']['title']}",
$mail);
@utils_mail($from_mail, "New comment on {$fp_config['general']['title']}", $mail);
} }
// if comment is valid, this redirect will clean the postdata // if comment is valid, this redirect will clean the postdata
$location = str_replace( $location = str_replace('&amp;', '&', get_comments_link($entryid)) . '#' . $id;
'&amp;', '&',
get_comments_link($entryid)
) . '#'.$id;
utils_redirect($location, true); utils_redirect($location, true);
exit(); exit();
} else { } else {
$smarty->assign('values', $_POST); $smarty->assign('values', $_POST);
} }
} }
// Cookies // Cookies
$smarty->assign('cookie', array( $smarty->assign('cookie', array(
'name' => @$_COOKIE ['comment_author_' . COOKIEHASH], 'name' => @$_COOKIE ['comment_author_' . COOKIEHASH],
'email' => @$_COOKIE ['comment_author_email_' . COOKIEHASH], 'email' => @$_COOKIE ['comment_author_email_' . COOKIEHASH],
'url' => @$_COOKIE ['comment_author_url_' . COOKIEHASH] 'url' => @$_COOKIE ['comment_author_url_' . COOKIEHASH]
)); ));
} }
?> ?>

4
fp-interface/themes/leggero/comments.tpl
View File

@ -19,13 +19,13 @@
else default fallback on displaying plain $name" else default fallback on displaying plain $name"
*} *}
{$url|notempty:"<a href=\"$url\" title=\"Permalink to $name's comment\">$name</a>"|default:$name} {$url|notempty:"<a href=\"$url\" rel=\"nofollow\" title=\"Visit $url\">$name</a>"|default:$name}
</strong> </strong>
{include file=shared:commentadminctrls.tpl} {* this shows edit/delete links*} {include file=shared:commentadminctrls.tpl} {* this shows edit/delete links*}
<p class="date"> <p class="date">
<a href="{$entryid|link:comments_link}#{$id}">{$date|date_format:"%A, %B %e, %Y - %H:%M:%S"}</a> <a href="{$entryid|link:comments_link}#{$id}" title="Permalink to {$name}'s comment">{$date|date_format:"%A, %B %e, %Y - %H:%M:%S"}</a>
</p> </p>
{$content|tag:comment_text} {$content|tag:comment_text}