Beanz/flatpress
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Comments' URL and email is now checked with filter_var() function. This makes the checks much more generic and, by the way, allows HTTPS URLs. (Which was reported by RT Cunnigham, see http://flatpress.org/home/comments.php?entry=entry181114-131213#comment181212-200956 - thanks!)

Browse Source 
Also: Standard theme Leggero has rel="nofollow" for comments' URLs in order to make comment spam more useless.
This commit is contained in:
azett 2019-01-05 13:03:29 +01:00
parent 9c0dea07a3
commit c4ce531850
2 changed files with 236 additions and 290 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

248
comments.php
View File

@ -1,40 +1,34 @@
<?php <?php
if (!defined('MOD_INDEX')) {
if (!defined('MOD_INDEX')) {
include 'defaults.php'; include 'defaults.php';
include INCLUDES_DIR . 'includes.php'; include INCLUDES_DIR . 'includes.php';
/* backward compatibility */ /* backward compatibility */
if (!@$_GET['entry']) { if (!@$_GET ['entry']) {
@utils_redirect(); @utils_redirect();
} else { } else {
@utils_status_header(301); @utils_status_header(301);
@utils_redirect(str_replace('&amp;','&', get_comments_link($_GET['entry'])), true); @utils_redirect(str_replace('&amp;', '&', get_comments_link($_GET ['entry'])), true);
} }
}
$module = comment_main($module);
} function comment_main($module) {
$module = comment_main($module);
function comment_main($module) {
global $fpdb, $fp_params; global $fpdb, $fp_params;
// hackish solution to get title before fullparse starts dunno, I don't like it // hackish solution to get title before fullparse starts dunno, I don't like it
$q =& $fpdb->getQuery(); $q = & $fpdb->getQuery();
list($id, $entry) = @$q->peekEntry(); list ($id, $entry) = @$q->peekEntry();
if (!$entry) if (!$entry)
return $module; return $module;
if (!empty($fp_params ['feed'])) {
if (!empty($fp_params['feed'])){ switch ($fp_params ['feed']) {
switch($fp_params['feed']) {
case 'atom': case 'atom':
header('Content-type: application/atom+xml'); header('Content-type: application/atom+xml');
@ -45,56 +39,50 @@
header('Content-type: application/rss+xml'); header('Content-type: application/rss+xml');
$module = SHARED_TPLS . 'comment-rss.tpl'; $module = SHARED_TPLS . 'comment-rss.tpl';
} }
} elseif (!in_array('commslock', $entry ['categories'])) {
} elseif (!in_array('commslock', $entry['categories'])) {
commentform(); commentform();
} }
return $module; return $module;
}
} function comment_feed() {
function comment_feed() {
global $fp_params; global $fp_params;
echo "\n<link rel=\"alternate\" type=\"application/rss+xml\" title=\"Get Comments RSS 2.0 Feed\" href=\"". echo "\n<link rel=\"alternate\" type=\"application/rss+xml\" title=\"Get Comments RSS 2.0 Feed\" href=\"" . theme_comments_feed_link('rss2', $fp_params ['entry']) . "\" />";
theme_comments_feed_link('rss2', $fp_params['entry']) echo "\n<link rel=\"alternate\" type=\"application/atom+xml\" title=\"Get Comments Atom 1.0 Feed\" href=\"" . theme_comments_feed_link('atom', $fp_params ['entry']) . "\" />\n";
."\" />"; }
echo "\n<link rel=\"alternate\" type=\"application/atom+xml\" title=\"Get Comments Atom 1.0 Feed\" href=\"". add_action('wp_head', 'comment_feed');
theme_comments_feed_link('atom', $fp_params['entry'])
."\" />\n";
}
add_action('wp_head', 'comment_feed');
function comment_pagetitle($val, $sep) { function comment_pagetitle($val, $sep) {
global $fpdb, $lang; global $fpdb, $lang;
$q =& $fpdb->getQuery(); $q = & $fpdb->getQuery();
list($id, $e) = @$q->peekEntry(); list ($id, $e) = @$q->peekEntry();
if ($e) if ($e)
return "{$e['subject']} : {$lang['main']['comments']} {$sep} $val "; return "{$e['subject']} : {$lang['main']['comments']} {$sep} $val ";
else return $val; else
} return $val;
remove_filter('wp_title', 'index_permatitle'); }
add_filter('wp_title', 'comment_pagetitle', 10, 2); remove_filter('wp_title', 'index_permatitle');
add_filter('wp_title', 'comment_pagetitle', 10, 2);
function comment_validate() {
function comment_validate() {
global $smarty, $lang; global $smarty, $lang;
$lerr =& $lang['comments']['error']; $lerr = & $lang ['comments'] ['error'];
$r = true; $r = true;
/* $lang['comments']['error'] = array( /*
'name' => 'You must enter a name', * $lang['comments']['error'] = array(
'email' => 'You must enter a valid email', * 'name' => 'You must enter a name',
'www' => 'You must enter a valid URL', * 'email' => 'You must enter a valid email',
'comment' => 'You must enter a comment', * 'www' => 'You must enter a valid URL',
);*/ * 'comment' => 'You must enter a comment',
* );
*/
$content = isset($_POST ['content']) ? trim(stripslashes($_POST ['content'])) : null;
$content= isset($_POST['content'])? trim(stripslashes($_POST['content'])) : null;
$errors = array(); $errors = array();
@ -102,15 +90,14 @@
if (user_loggedin()) { if (user_loggedin()) {
$user = user_get(); $user = user_get();
$loggedin = $arr['loggedin']=true; $loggedin = $arr ['loggedin'] = true;
$email = $user['email']; $email = $user ['email'];
$url = $user['www']; $url = $user ['www'];
$name = $user['userid']; $name = $user ['userid'];
} else { } else {
$name = trim(htmlspecialchars(@$_POST ['name']));
$name = trim(htmlspecialchars(@$_POST['name'])); $email = isset($_POST ['email']) ? trim(htmlspecialchars($_POST ['email'])) : null;
$email = isset($_POST['email'])? trim(htmlspecialchars($_POST['email'])) : null; $url = isset($_POST ['url']) ? trim(stripslashes(htmlspecialchars($_POST ['url']))) : null;
$url = isset($_POST['url'])? trim(stripslashes(htmlspecialchars($_POST['url']))) : null;
/* /*
* check name * check name
@ -118,23 +105,18 @@
*/ */
if (!$name) { if (!$name) {
$errors['name'] = $lerr['name']; $errors ['name'] = $lerr ['name'];
} }
/* /*
* check email * check email
* *
*/ */
if ($email) { if ($email) {
$_is_valid = !(preg_match('!@.*@|\.\.|\,|\;!', $email) || if (!filter_var($url, FILTER_VALIDATE_EMAIL)) {
!preg_match('!^.+\@(\[?)[a-zA-Z0-9\.\-]+\.([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)$!', $email)); $errors ['email'] = $lerr ['email'];
if (!$_is_valid) {
$errors['email'] = $lerr['email'];
} }
} }
/* /*
@ -143,106 +125,93 @@
*/ */
if ($url) { if ($url) {
if (!preg_match('!^http(s)?://[\w-]+\.[\w-]+(\S+)?$!i', $url)) { if (!filter_var($url, FILTER_VALIDATE_URL)) {
// || preg_match('!^http(s)?://localhost!', $value); $errors ['url'] = $lerr ['www'];
$errors['url'] = $lerr['www'];
} }
} }
} }
if (!$content) { if (!$content) {
$errors['content'] = $lerr['comment']; $errors ['content'] = $lerr ['comment'];
} }
if ($errors) { if ($errors) {
$smarty->assign('error', $errors); $smarty->assign('error', $errors);
return false; return false;
} }
$arr['version'] = system_ver(); $arr ['version'] = system_ver();
$arr['name'] = $name; $arr ['name'] = $name;
if (!$loggedin) if (!$loggedin)
setcookie('comment_author_' . COOKIEHASH, setcookie('comment_author_' . COOKIEHASH, $arr ['name'], time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
$arr['name'], time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
if ($email) { if ($email) {
($arr['email'] = $email); ($arr ['email'] = $email);
if (!$loggedin) if (!$loggedin)
setcookie('comment_author_email_' . COOKIEHASH, setcookie('comment_author_email_' . COOKIEHASH, $arr ['email'], time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
$arr['email'], time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
} }
if ($url) { if ($url) {
($arr['url'] = ( $url )) ; ($arr ['url'] = ($url));
if (!$loggedin) if (!$loggedin)
setcookie('comment_author_url_' . COOKIEHASH, setcookie('comment_author_url_' . COOKIEHASH, $arr ['url'], time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
$arr['url'], time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
} }
$arr['content'] = $content; $arr ['content'] = $content;
if ($v = utils_ipget()) { if ($v = utils_ipget()) {
$arr['ip-address'] = $v; $arr ['ip-address'] = $v;
} }
if ($loggedin || apply_filters('comment_validate', true, $arr)) if ($loggedin || apply_filters('comment_validate', true, $arr))
return $arr; return $arr;
else return false; else
return false;
}
}
function commentform() {
function commentform() {
global $smarty, $lang, $fpdb, $fp_params; global $smarty, $lang, $fpdb, $fp_params;
$comment_formid = 'fp-comments'; $comment_formid = 'fp-comments';
$smarty->assign('comment_formid', $comment_formid); $smarty->assign('comment_formid', $comment_formid);
if (!empty($_POST)) {
if(!empty($_POST)) { // utils_nocache_headers();
# utils_nocache_headers();
// add http to url
if (!empty($_POST['url']) && strpos($_POST['url'], 'http://')===false)
$_POST['url'] = 'http://'.$_POST['url'];
// add http to url if not given
if (!empty($_POST ['url']) && strpos($_POST ['url'], 'http://') === false && strpos($_POST ['url'], 'https://') === false)
$_POST ['url'] = 'http://' . $_POST ['url'];
// custom hook here!! // custom hook here!!
if($arr=comment_validate()) { if ($arr = comment_validate()) {
global $fp_config; global $fp_config;
$id = comment_save($fp_params['entry'], $arr); $id = comment_save($fp_params ['entry'], $arr);
do_action('comment_post', $fp_params['entry'], array($id, $arr)); do_action('comment_post', $fp_params ['entry'], array(
$id,
$arr
));
$q = new FPDB_Query(array('id'=>$fp_params['entry'],'fullparse'=>false), null); $q = new FPDB_Query(array(
list($entryid, $e) = $q->getEntry(); 'id' => $fp_params ['entry'],
'fullparse' => false
), null);
list ($entryid, $e) = $q->getEntry();
if ($fp_config ['general'] ['notify'] && !user_loggedin()) {
if ($fp_config['general']['notify'] && !user_loggedin()) {
global $post; global $post;
$comm_mail = isset($arr['email'])? "<{$arr['email']}>" : ''; $comm_mail = isset($arr ['email']) ? "<{$arr['email']}>" : '';
$from_mail = $fp_config['general']['email']; $from_mail = $fp_config ['general'] ['email'];
$post = $e; // plugin such as prettyurls might need this... $post = $e; // plugin such as prettyurls might need this...
$lang = lang_load('comments'); $lang = lang_load('comments');
$mail = str_replace( $mail = str_replace(array(
array(
'%toname%', '%toname%',
'%fromname%', '%fromname%',
'%frommail%', '%frommail%',
@ -250,58 +219,35 @@
'%commentlink%', '%commentlink%',
'%content%', '%content%',
'%blogtitle%' '%blogtitle%'
), ), array(
$fp_config ['general'] ['author'],
array( $arr ['name'],
$fp_config['general']['author'],
$arr['name'],
$comm_mail, $comm_mail,
$e['subject'], $e ['subject'],
get_comments_link($entryid) . '#'.$id, get_comments_link($entryid) . '#' . $id,
$arr['content'], $arr ['content'],
$fp_config['general']['title'] $fp_config ['general'] ['title']
), ), $lang ['comments'] ['mail']);
$lang['comments']['mail']
);
@utils_mail($from_mail, "New comment on {$fp_config['general']['title']}",
$mail);
@utils_mail($from_mail, "New comment on {$fp_config['general']['title']}", $mail);
} }
// if comment is valid, this redirect will clean the postdata // if comment is valid, this redirect will clean the postdata
$location = str_replace( $location = str_replace('&amp;', '&', get_comments_link($entryid)) . '#' . $id;
'&amp;', '&',
get_comments_link($entryid)
) . '#'.$id;
utils_redirect($location,true); utils_redirect($location, true);
exit(); exit();
} else { } else {
$smarty->assign('values', $_POST); $smarty->assign('values', $_POST);
} }
} }
// Cookies // Cookies
$smarty->assign('cookie', array( $smarty->assign('cookie', array(
'name' => @$_COOKIE['comment_author_' . COOKIEHASH], 'name' => @$_COOKIE ['comment_author_' . COOKIEHASH],
'email' => @$_COOKIE['comment_author_email_' . COOKIEHASH], 'email' => @$_COOKIE ['comment_author_email_' . COOKIEHASH],
'url' => @$_COOKIE['comment_author_url_' . COOKIEHASH] 'url' => @$_COOKIE ['comment_author_url_' . COOKIEHASH]
)); ));
}
}
?> ?>

4
fp-interface/themes/leggero/comments.tpl
View File

@ -19,13 +19,13 @@
else default fallback on displaying plain $name" else default fallback on displaying plain $name"
*} *}
{$url|notempty:"<a href=\"$url\" title=\"Permalink to $name's comment\">$name</a>"|default:$name} {$url|notempty:"<a href=\"$url\" rel=\"nofollow\" title=\"Visit $url\">$name</a>"|default:$name}
</strong> </strong>
{include file=shared:commentadminctrls.tpl} {* this shows edit/delete links*} {include file=shared:commentadminctrls.tpl} {* this shows edit/delete links*}
<p class="date"> <p class="date">
<a href="{$entryid|link:comments_link}#{$id}">{$date|date_format:"%A, %B %e, %Y - %H:%M:%S"}</a> <a href="{$entryid|link:comments_link}#{$id}" title="Permalink to {$name}'s comment">{$date|date_format:"%A, %B %e, %Y - %H:%M:%S"}</a>
</p> </p>
{$content|tag:comment_text} {$content|tag:comment_text}