← Back to branch summary

~manfre/xpattern/langrpc

« back to all changes in this revision

Viewing changes to textpattern/publish/comment.php

  • Committer: wet
  • Date: 2008-01-14 18:58:51 UTC
  • Revision ID: vcs-imports@canonical.com-20080114185851-pedsbna2d7mpl5la
* setup: more reliable detection of site URL
* comments: restrict comment message length to 65535 characters at most
* various comment tags: escape HTML properly
* nag administrator users when the setup folder still exists
Props: DSecRG

Show diffs side-by-side

added added

removed removed

Lines of Context:
textpattern/publish/comment.php
4
4
        This is Textpattern
5
5
        Copyright 2005 by Dean Allen - all rights reserved.
6
6
 
7
 
        Use of this software denotes acceptance of the Textpattern license agreement 
 
7
        Use of this software denotes acceptance of the Textpattern license agreement
8
8
 
9
9
$HeadURL: http://svn.textpattern.com/development/4.0/textpattern/publish/comment.php $
10
 
$LastChangedRevision: 2513 $
 
10
$LastChangedRevision: 2769 $
11
11
 
12
12
*/
13
13
 
15
15
        function fetchComments($id)
16
16
        {
17
17
                $rs = safe_rows(
18
 
                        "*, unix_timestamp(posted) as time", 
 
18
                        "*, unix_timestamp(posted) as time",
19
19
                        "txp_discuss", 'parentid='.intval($id).' and visible='.VISIBLE.' order by posted asc'
20
20
                );
21
21
 
52
52
                return $secret;
53
53
        }
54
54
 
55
 
        function commentForm($id, $atts=NULL) 
 
55
        function commentForm($id, $atts=NULL)
56
56
        {
57
57
                global $prefs;
58
58
                extract($prefs);
151
151
 
152
152
                $textarea = '<textarea id="message" name="'.$n_message.'"'.$msgcols.$msgrows.$msgstyle.
153
153
                        ' class="txpCommentInputMessage'.(($commentwarn) ? ' comments_error"' : '"').
154
 
                        '>'.htmlspecialchars($message).'</textarea>';
 
154
                        '>'.htmlspecialchars(substr(trim($message), 0, 65535)).'</textarea>';
155
155
 
156
156
                // by default, the submit button is visible but disabled
157
157
                $comment_submit_button = fInput('submit', 'submit', gTxt('submit'), 'button disabled', '', '', '', '', 'txpCommentSubmit', true);
230
230
                ob_start('parse');
231
231
                $out = fetch_form('popup_comments');
232
232
                $out = str_replace("<txp:popup_comments />",$discuss,$out);
233
 
                
 
233
 
234
234
                return $out;
235
235
 
236
236
        }
248
248
        }
249
249
 
250
250
// -------------------------------------------------------------
251
 
        function destroyCookies() 
 
251
        function destroyCookies()
252
252
        {
253
253
                $cookietime = time()-3600;
254
254
                ob_start();
263
263
        function getComment()
264
264
        {
265
265
                // comment spam filter plugins: call this function to fetch comment contents
266
 
                
 
266
 
267
267
                $c = psa( array(
268
268
                        'parentid',
269
269
                        'name',
312
312
 
313
313
                $ip = serverset('REMOTE_ADDR');
314
314
 
315
 
                if (!checkBan($ip)) 
 
315
                if (!checkBan($ip))
316
316
                        txp_die(gTxt('you_have_been_banned'), '403');
317
317
 
318
318
                $blacklisted = is_blacklisted($ip);
330
330
                $web = doSlash(strip_tags(deEntBrackets($web)));
331
331
                $email = doSlash(strip_tags(deEntBrackets($email)));
332
332
 
333
 
                $message = trim($message);
 
333
                $message = substr(trim($message), 0, 65535);
334
334
                $message2db = doSlash(markup_comment($message));
335
335
 
336
 
                $isdup = safe_row("message,name", "txp_discuss", 
 
336
                $isdup = safe_row("message,name", "txp_discuss",
337
337
                        "name='$name' and message='$message2db' and ip='".doSlash($ip)."'");
338
338
 
339
339
                if (   ($prefs['comments_require_name'] && !trim($name))
340
340
                        || ($prefs['comments_require_email'] && !trim($email))
341
341
                        || (!trim($message)))
342
 
                { 
 
342
                {
343
343
                        $evaluator -> add_estimate(RELOAD,1); // The error-messages are added in the preview-code
344
344
                }
345
345
 
346
 
                if ($isdup) 
 
346
                if ($isdup)
347
347
                        $evaluator -> add_estimate(RELOAD,1); // FIXME? Tell the user about dupe?
348
348
 
349
349
                if ( ($evaluator->get_result() != RELOAD) && checkNonce($nonce) ) {
414
414
                                                                   VISIBLE  => array(),
415
415
                                                                   RELOAD  => array()
416
416
                                                                );
417
 
                        $this->status_text = array(     SPAM => gTxt('spam'), 
418
 
                                                                        MODERATE => gTxt('unmoderated'), 
419
 
                                                                        VISIBLE  => gTxt('visible'), 
 
417
                        $this->status_text = array(     SPAM => gTxt('spam'),
 
418
                                                                        MODERATE => gTxt('unmoderated'),
 
419
                                                                        VISIBLE  => gTxt('visible'),
420
420
                                                                        RELOAD  => gTxt('reload')
421
421
                                                                );
422
422
                        $this->message = $this->status;
456
456
                        $file = $prefs['tempdir'].DS.'evaluator_trace.php';
457
457
                        if (!file_exists($file)) {
458
458
                                $fp = fopen($file,'wb');
459
 
                                if ($fp) 
 
459
                                if ($fp)
460
460
                                        fwrite($fp,"<?php return; ?>\n".
461
461
                                        "This trace-file tracks saved comments. (created ".safe_strftime($prefs['archive_dateformat'],time()).")\n".
462
462
                                        "Format is: Type; Probability; Message (Type can be -1 => spam, 0 => moderate, 1 => visible)\n\n");
472
472
        }
473
473
 
474
474
        function &get_comment_evaluator() {
475
 
            static $instance; 
476
 
         
 
475
            static $instance;
 
476
 
477
477
            // If the instance is not there, create one
478
 
            if(!isset($instance)) { 
479
 
                $instance = new comment_evaluation(); 
480
 
            } 
481
 
            return $instance; 
 
478
            if(!isset($instance)) {
 
479
                $instance = new comment_evaluation();
 
480
            }
 
481
            return $instance;
482
482
        }
483
483
 
484
484
// -------------------------------------------------------------
485
485
        function checkNonce($nonce)
486
486
        {
487
 
                if (!$nonce && !preg_match('#^[a-zA-Z0-9]*$#',$nonce)) 
 
487
                if (!$nonce && !preg_match('#^[a-zA-Z0-9]*$#',$nonce))
488
488
                        return false;
489
489
                        // delete expired nonces
490
490
                safe_delete("txp_discuss_nonce", "issue_time < date_sub(now(),interval 10 minute)");
512
512
                {
513
513
                        $Annotate = $thisarticle['annotate'];
514
514
                        $uPosted  = $thisarticle['posted'];
515
 
                } 
 
515
                }
516
516
                else
517
517
                {
518
 
                        extract(        
 
518
                        extract(
519
519
                                safe_row(
520
520
                                        "Annotate,unix_timestamp(Posted) as uPosted",
521
521
                                                "textpattern", "ID = $id"
526
526
                if ($Annotate != 1)
527
527
                        return false;
528
528
 
529
 
                if($comments_disabled_after) {          
 
529
                if($comments_disabled_after) {
530
530
                        $lifespan = ( $comments_disabled_after * 86400 );
531
531
                        $timesince = ( time() - $uPosted );
532
532
                        return ( $lifespan > $timesince );
542
542
        }
543
543
 
544
544
// -------------------------------------------------------------
545
 
        function mail_comment($message, $cname, $cemail, $cweb, $parentid, $discussid) 
 
545
        function mail_comment($message, $cname, $cemail, $cweb, $parentid, $discussid)
546
546
        {
547
547
                global $sitename;
548
548
                $parentid = assert_int($parentid);
552
552
                extract(safe_row("RealName, email", "txp_users", "name = '".doSlash($AuthorID)."'"));
553
553
 
554
554
                $evaluator =& get_comment_evaluator();
555
 
        
 
555
 
556
556
                $out = gTxt('greeting')." $RealName,".n.n;
557
557
                $out .= str_replace('{title}',$Title,gTxt('comment_recorded')).n;
558
558
                $out .= permlinkurl_id($parentid).n;
571
571
        }
572
572
// -------------------------------------------------------------
573
573
        # deprecated, use fInput instead
574
 
        function input($type,$name,$val,$size='',$class='',$tab='',$chkd='') 
 
574
        function input($type,$name,$val,$size='',$class='',$tab='',$chkd='')
575
575
        {
576
576
                $o = array(
577
577
                        '<input type="'.$type.'" name="'.$name.'" id="'.$name.'" value="'.$val.'"',