Beanz/flatpress
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Comments' URL and email is now checked with filter_var() function. This makes the checks much more generic and, by the way, allows HTTPS URLs. (Which was reported by RT Cunnigham, see http://flatpress.org/home/comments.php?entry=entry181114-131213#comment181212-200956 - thanks!)

Browse Source 
Also: Standard theme Leggero has rel="nofollow" for comments' URLs in order to make comment spam more useless.
This commit is contained in:
azett 2019-01-05 13:03:29 +01:00
parent 9c0dea07a3
commit c4ce531850
2 changed files with 236 additions and 290 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

522
comments.php
View File

@ -1,307 +1,253 @@
<?php <?php
if (!defined('MOD_INDEX')) {
if (!defined('MOD_INDEX')) { include 'defaults.php';
include 'defaults.php'; include INCLUDES_DIR . 'includes.php';
include INCLUDES_DIR . 'includes.php';
/* backward compatibility */
/* backward compatibility */
if (!@$_GET ['entry']) {
if (!@$_GET['entry']) { @utils_redirect();
@utils_redirect(); } else {
} else { @utils_status_header(301);
@utils_status_header(301); @utils_redirect(str_replace('&amp;', '&', get_comments_link($_GET ['entry'])), true);
@utils_redirect(str_replace('&amp;','&', get_comments_link($_GET['entry'])), true);
}
} }
}
$module = comment_main($module); $module = comment_main($module);
function comment_main($module) { function comment_main($module) {
global $fpdb, $fp_params;
global $fpdb, $fp_params;
// hackish solution to get title before fullparse starts dunno, I don't like it
$q =& $fpdb->getQuery();
list($id, $entry) = @$q->peekEntry();
if (!$entry)
return $module;
if (!empty($fp_params['feed'])){
switch($fp_params['feed']) {
case 'atom':
header('Content-type: application/atom+xml');
$module = SHARED_TPLS . 'comment-atom.tpl';
break;
case 'rss2':
default:
header('Content-type: application/rss+xml');
$module = SHARED_TPLS . 'comment-rss.tpl';
}
} elseif (!in_array('commslock', $entry['categories'])) {
commentform();
}
return $module;
}
function comment_feed() {
global $fp_params;
echo "\n<link rel=\"alternate\" type=\"application/rss+xml\" title=\"Get Comments RSS 2.0 Feed\" href=\"".
theme_comments_feed_link('rss2', $fp_params['entry'])
."\" />";
echo "\n<link rel=\"alternate\" type=\"application/atom+xml\" title=\"Get Comments Atom 1.0 Feed\" href=\"".
theme_comments_feed_link('atom', $fp_params['entry'])
."\" />\n";
}
add_action('wp_head', 'comment_feed');
function comment_pagetitle($val, $sep) {
global $fpdb, $lang;
$q =& $fpdb->getQuery();
list($id, $e) = @$q->peekEntry();
if ($e)
return "{$e['subject']} : {$lang['main']['comments']} {$sep} $val ";
else return $val;
}
remove_filter('wp_title', 'index_permatitle');
add_filter('wp_title', 'comment_pagetitle', 10, 2);
function comment_validate() {
global $smarty, $lang;
$lerr =& $lang['comments']['error'];
$r = true;
/* $lang['comments']['error'] = array(
'name' => 'You must enter a name',
'email' => 'You must enter a valid email',
'www' => 'You must enter a valid URL',
'comment' => 'You must enter a comment',
);*/
// hackish solution to get title before fullparse starts dunno, I don't like it
$content= isset($_POST['content'])? trim(stripslashes($_POST['content'])) : null;
$q = & $fpdb->getQuery();
$errors = array();
list ($id, $entry) = @$q->peekEntry();
$loggedin = false; if (!$entry)
return $module;
if (user_loggedin()) {
$user = user_get(); if (!empty($fp_params ['feed'])) {
$loggedin = $arr['loggedin']=true;
$email = $user['email'];
$url = $user['www'];
$name = $user['userid'];
} else {
$name = trim(htmlspecialchars(@$_POST['name']));
$email = isset($_POST['email'])? trim(htmlspecialchars($_POST['email'])) : null;
$url = isset($_POST['url'])? trim(stripslashes(htmlspecialchars($_POST['url']))) : null;
/*
* check name
*
*/
if (!$name) {
$errors['name'] = $lerr['name'];
}
/*
* check email
*
*/
if ($email) {
$_is_valid = !(preg_match('!@.*@|\.\.|\,|\;!', $email) ||
!preg_match('!^.+\@(\[?)[a-zA-Z0-9\.\-]+\.([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)$!', $email));
if (!$_is_valid) {
$errors['email'] = $lerr['email'];
}
}
/*
* check url
*
*/
if ($url) {
if (!preg_match('!^http(s)?://[\w-]+\.[\w-]+(\S+)?$!i', $url)) {
// || preg_match('!^http(s)?://localhost!', $value);
$errors['url'] = $lerr['www'];
}
}
} switch ($fp_params ['feed']) {
if (!$content) {
$errors['content'] = $lerr['comment'];
}
case 'atom':
header('Content-type: application/atom+xml');
$module = SHARED_TPLS . 'comment-atom.tpl';
break;
case 'rss2':
default:
header('Content-type: application/rss+xml');
$module = SHARED_TPLS . 'comment-rss.tpl';
}
} elseif (!in_array('commslock', $entry ['categories'])) {
commentform();
}
return $module;
}
if ($errors) { function comment_feed() {
$smarty->assign('error', $errors); global $fp_params;
return false; echo "\n<link rel=\"alternate\" type=\"application/rss+xml\" title=\"Get Comments RSS 2.0 Feed\" href=\"" . theme_comments_feed_link('rss2', $fp_params ['entry']) . "\" />";
} echo "\n<link rel=\"alternate\" type=\"application/atom+xml\" title=\"Get Comments Atom 1.0 Feed\" href=\"" . theme_comments_feed_link('atom', $fp_params ['entry']) . "\" />\n";
}
$arr['version'] = system_ver(); add_action('wp_head', 'comment_feed');
$arr['name'] = $name;
function comment_pagetitle($val, $sep) {
global $fpdb, $lang;
$q = & $fpdb->getQuery();
list ($id, $e) = @$q->peekEntry();
if ($e)
return "{$e['subject']} : {$lang['main']['comments']} {$sep} $val ";
else
return $val;
}
remove_filter('wp_title', 'index_permatitle');
add_filter('wp_title', 'comment_pagetitle', 10, 2);
if (!$loggedin) function comment_validate() {
setcookie('comment_author_' . COOKIEHASH, global $smarty, $lang;
$arr['name'], time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
$lerr = & $lang ['comments'] ['error'];
$r = true;
if ($email) {
($arr['email'] = $email); /*
if (!$loggedin) * $lang['comments']['error'] = array(
setcookie('comment_author_email_' . COOKIEHASH, * 'name' => 'You must enter a name',
$arr['email'], time() + 30000000, COOKIEPATH, COOKIE_DOMAIN); * 'email' => 'You must enter a valid email',
* 'www' => 'You must enter a valid URL',
} * 'comment' => 'You must enter a comment',
if ($url) { * );
($arr['url'] = ( $url )) ; */
if (!$loggedin)
setcookie('comment_author_url_' . COOKIEHASH, $content = isset($_POST ['content']) ? trim(stripslashes($_POST ['content'])) : null;
$arr['url'], time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
$errors = array();
} $loggedin = false;
$arr['content'] = $content;
if (user_loggedin()) {
if ($v = utils_ipget()) { $user = user_get();
$arr['ip-address'] = $v; $loggedin = $arr ['loggedin'] = true;
} $email = $user ['email'];
$url = $user ['www'];
if ($loggedin || apply_filters('comment_validate', true, $arr)) $name = $user ['userid'];
return $arr; } else {
else return false; $name = trim(htmlspecialchars(@$_POST ['name']));
$email = isset($_POST ['email']) ? trim(htmlspecialchars($_POST ['email'])) : null;
$url = isset($_POST ['url']) ? trim(stripslashes(htmlspecialchars($_POST ['url']))) : null;
/*
* check name
*
*/
if (!$name) {
$errors ['name'] = $lerr ['name'];
} }
function commentform() { /*
* check email
*
*/
global $smarty, $lang, $fpdb, $fp_params; if ($email) {
if (!filter_var($url, FILTER_VALIDATE_EMAIL)) {
$comment_formid = 'fp-comments'; $errors ['email'] = $lerr ['email'];
$smarty->assign('comment_formid', $comment_formid);
if(!empty($_POST)) {
# utils_nocache_headers();
// add http to url
if (!empty($_POST['url']) && strpos($_POST['url'], 'http://')===false)
$_POST['url'] = 'http://'.$_POST['url'];
// custom hook here!!
if($arr=comment_validate()) {
global $fp_config;
$id = comment_save($fp_params['entry'], $arr);
do_action('comment_post', $fp_params['entry'], array($id, $arr));
$q = new FPDB_Query(array('id'=>$fp_params['entry'],'fullparse'=>false), null);
list($entryid, $e) = $q->getEntry();
if ($fp_config['general']['notify'] && !user_loggedin()) {
global $post;
$comm_mail = isset($arr['email'])? "<{$arr['email']}>" : '';
$from_mail = $fp_config['general']['email'];
$post = $e; // plugin such as prettyurls might need this...
$lang = lang_load('comments');
$mail = str_replace(
array(
'%toname%',
'%fromname%',
'%frommail%',
'%entrytitle%',
'%commentlink%',
'%content%',
'%blogtitle%'
),
array(
$fp_config['general']['author'],
$arr['name'],
$comm_mail,
$e['subject'],
get_comments_link($entryid) . '#'.$id,
$arr['content'],
$fp_config['general']['title']
),
$lang['comments']['mail']
);
@utils_mail($from_mail, "New comment on {$fp_config['general']['title']}",
$mail);
}
// if comment is valid, this redirect will clean the postdata
$location = str_replace(
'&amp;', '&',
get_comments_link($entryid)
) . '#'.$id;
utils_redirect($location,true);
exit();
} else {
$smarty->assign('values', $_POST);
}
} }
}
/*
* check url
*
*/
if ($url) {
if (!filter_var($url, FILTER_VALIDATE_URL)) {
$errors ['url'] = $lerr ['www'];
}
}
}
if (!$content) {
$errors ['content'] = $lerr ['comment'];
}
if ($errors) {
$smarty->assign('error', $errors);
return false;
}
$arr ['version'] = system_ver();
$arr ['name'] = $name;
if (!$loggedin)
setcookie('comment_author_' . COOKIEHASH, $arr ['name'], time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
if ($email) {
($arr ['email'] = $email);
if (!$loggedin)
setcookie('comment_author_email_' . COOKIEHASH, $arr ['email'], time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
}
if ($url) {
($arr ['url'] = ($url));
if (!$loggedin)
setcookie('comment_author_url_' . COOKIEHASH, $arr ['url'], time() + 30000000, COOKIEPATH, COOKIE_DOMAIN);
}
$arr ['content'] = $content;
if ($v = utils_ipget()) {
$arr ['ip-address'] = $v;
}
if ($loggedin || apply_filters('comment_validate', true, $arr))
return $arr;
else
return false;
}
function commentform() {
// Cookies global $smarty, $lang, $fpdb, $fp_params;
$smarty->assign('cookie', array(
'name' => @$_COOKIE['comment_author_' . COOKIEHASH], $comment_formid = 'fp-comments';
'email' => @$_COOKIE['comment_author_email_' . COOKIEHASH], $smarty->assign('comment_formid', $comment_formid);
'url' => @$_COOKIE['comment_author_url_' . COOKIEHASH]
if (!empty($_POST)) {
// utils_nocache_headers();
// add http to url if not given
if (!empty($_POST ['url']) && strpos($_POST ['url'], 'http://') === false && strpos($_POST ['url'], 'https://') === false)
$_POST ['url'] = 'http://' . $_POST ['url'];
// custom hook here!!
if ($arr = comment_validate()) {
global $fp_config;
$id = comment_save($fp_params ['entry'], $arr);
do_action('comment_post', $fp_params ['entry'], array(
$id,
$arr
)); ));
$q = new FPDB_Query(array(
'id' => $fp_params ['entry'],
'fullparse' => false
), null);
list ($entryid, $e) = $q->getEntry();
if ($fp_config ['general'] ['notify'] && !user_loggedin()) {
global $post;
$comm_mail = isset($arr ['email']) ? "<{$arr['email']}>" : '';
$from_mail = $fp_config ['general'] ['email'];
$post = $e; // plugin such as prettyurls might need this...
$lang = lang_load('comments');
$mail = str_replace(array(
'%toname%',
'%fromname%',
'%frommail%',
'%entrytitle%',
'%commentlink%',
'%content%',
'%blogtitle%'
), array(
$fp_config ['general'] ['author'],
$arr ['name'],
$comm_mail,
$e ['subject'],
get_comments_link($entryid) . '#' . $id,
$arr ['content'],
$fp_config ['general'] ['title']
), $lang ['comments'] ['mail']);
@utils_mail($from_mail, "New comment on {$fp_config['general']['title']}", $mail);
}
// if comment is valid, this redirect will clean the postdata
$location = str_replace('&amp;', '&', get_comments_link($entryid)) . '#' . $id;
utils_redirect($location, true);
exit();
} else {
$smarty->assign('values', $_POST);
} }
}
// Cookies
$smarty->assign('cookie', array(
'name' => @$_COOKIE ['comment_author_' . COOKIEHASH],
'email' => @$_COOKIE ['comment_author_email_' . COOKIEHASH],
'url' => @$_COOKIE ['comment_author_url_' . COOKIEHASH]
));
}
?> ?>

4
fp-interface/themes/leggero/comments.tpl
View File

@ -19,13 +19,13 @@
else default fallback on displaying plain $name" else default fallback on displaying plain $name"
*} *}
{$url|notempty:"<a href=\"$url\" title=\"Permalink to $name's comment\">$name</a>"|default:$name} {$url|notempty:"<a href=\"$url\" rel=\"nofollow\" title=\"Visit $url\">$name</a>"|default:$name}
</strong> </strong>
{include file=shared:commentadminctrls.tpl} {* this shows edit/delete links*} {include file=shared:commentadminctrls.tpl} {* this shows edit/delete links*}
<p class="date"> <p class="date">
<a href="{$entryid|link:comments_link}#{$id}">{$date|date_format:"%A, %B %e, %Y - %H:%M:%S"}</a> <a href="{$entryid|link:comments_link}#{$id}" title="Permalink to {$name}'s comment">{$date|date_format:"%A, %B %e, %Y - %H:%M:%S"}</a>
</p> </p>
{$content|tag:comment_text} {$content|tag:comment_text}