function cleanXSS($text)
{
$allowedtags = '<b><i><br><a><ul><li><pre><hr><blockquote><img>';
$notallowedattribs = array("@javascript:|onclick|ondblclick|onmousedown|onmouseup" . "|onmouseover|onmousemove|onmouseout|onkeypress|onkeydown|onkeyup@si");
$changexssto = '';
$text = str_replace("\n", "<br />", $text);
$text = preg_replace($notallowedattribs, $changexssto, $text);
$text = strip_tags($text, $allowedtags);
//Clean words if asked.
$text = cleanWords($text);
return $text;
}
function comment($freeze_status)
{
echo '<h3>Comments</h3>';
global $categorySEF, $subcatSEF, $articleSEF, $_ID, $commentsPage;
if (isset($commentsPage)) {
$commentsPage = str_replace(l('comment_pages'), '', $commentsPage);
}
if (strpos($articleSEF, l('paginator')) === 0) {
$articleSEF = str_replace(l('paginator'), '', $articleSEF);
}
if (!isset($commentsPage) || !is_numeric($commentsPage) || $commentsPage < 1) {
$commentsPage = 1;
}
$comments_order = s('comments_order');
if (isset($_POST['comment'])) {
$comment = cleanWords(trim($_POST['text']));
$comment = strlen($comment) > 4 ? clean(cleanXSS($comment)) : null;
$name = trim($_POST['name']);
$name = strlen($name) > 1 ? clean(cleanXSS($name)) : null;
$url = trim($_POST['url']);
$url = strlen($url) > 8 && strpos($url, '?') === false ? clean(cleanXSS($url)) : null;
$post_article_id = is_numeric($_POST['id']) && $_POST['id'] > 0 ? $_POST['id'] : null;
$ip = strlen($_POST['ip']) < 16 ? clean(cleanXSS($_POST['ip'])) : null;
if (_ADMIN) {
$doublecheck = 1;
$ident = 1;
} else {
$contentCheck = retrieve('id', 'comments', 'comment', $comment);
$ident = !$contentCheck || time() - $_SESSION[_SITE . 'poster']['time'] > s('comment_repost_timer') || $_SESSION[_SITE . 'poster']['ip'] !== $ip ? 1 : 0;
$doublecheck = $_SESSION[_SITE . 'poster']['article'] === "{$comment}:|:{$post_article_id}" && time() - $_SESSION[_SITE . 'poster']['time'] < s('comment_repost_timer') ? 0 : 1;
}
if ($ip == $_SERVER['REMOTE_ADDR'] && $comment && $name && $post_article_id && checkMathCaptcha() && $doublecheck == 1 && $ident == 1) {
$url = preg_match('/((http)+(s)?:(\\/\\/)|(www\\.))([a-z0-9_\\-]+)/', $url) ? $url : '';
$url = substr($url, 0, 3) == 'www' ? 'http://' . $url : $url;
$time = date('Y-m-d H:i:s');
unset($_SESSION[_SITE . 'poster']);
$approved = s('approve_comments') != 'on' || _ADMIN ? 'True' : '';
$query = 'INSERT INTO ' . _PRE . 'comments' . '(articleid, name, url, comment, time, approved) VALUES' . "('{$post_article_id}', '{$name}', '{$url}', '{$comment}', '{$time}', '{$approved}')";
mysql_query($query);
$_SESSION[_SITE . 'poster']['article'] = "{$comment}:|:{$post_article_id}";
$_SESSION[_SITE . 'poster']['time'] = time();
// this is to set session for checking multiple postings.
$_SESSION[_SITE . 'poster']['ip'] = $ip;
$commentStatus = s('approve_comments') == 'on' && !_ADMIN ? l('comment_sent_approve') : l('comment_sent');
// eMAIL COMMENTS
if (s('mail_on_comments') == 'on' && !_ADMIN) {
if (s('approve_comments') == 'on') {
$status = l('approved_text');
$subject = l('subject_a');
} else {
$status = l('not_waiting_approved');
$subject = l('subject_b');
}
$to = s('website_email');
$send_array = array('to' => $to, 'name' => $name, 'comment' => $comment, 'ip' => $ip, 'url' => $url, 'subject' => $subject, 'status' => $status);
send_email($send_array);
}
// End of Mail
} else {
$commentStatus = l('comment_error');
$commentReason = l('ce_reasons');
$fail = true;
$_SESSION[_SITE . 'comment']['name'] = $name;
$_SESSION[_SITE . 'comment']['comment'] = br2nl($comment);
$_SESSION[_SITE . 'comment']['url'] = $url;
$_SESSION[_SITE . 'comment']['fail'] = $fail;
}
echo '<h2>' . $commentStatus . '</h2>';
if (!empty($commentReason)) {
echo '<p>' . $commentReason . '</p>';
}
$postArt = clean(cleanXSS($_POST['article']));
$postArtID = retrieve('category', 'articles', 'id', $post_article_id);
if ($postArtID == 0) {
$postCat = '';
} else {
$postCat = cat_rel($postArtID, 'seftitle') . '/';
}
if ($fail) {
$back_link = _SITE . $postCat . $postArt;
echo '<a href="' . $back_link . '/">' . l('back') . '</a>';
} else {
echo '<meta http-equiv="refresh" content="1; url=' . _SITE . $postCat . $postArt . '/">';
}
} else {
$commentCount = s('comment_limit');
$comment_limit = empty($commentCount) || $commentCount < 1 ? 100 : $commentCount;
if (isset($commentsPage)) {
$pageNum = $commentsPage;
}
$offset = ($pageNum - 1) * $comment_limit;
$totalrows = 'SELECT count(id) AS num FROM ' . _PRE . 'comments' . '
WHERE articleid = ' . $_ID . ' AND approved = \'True\';';
$rowsresult = mysql_query($totalrows);
$numrows = mysql_fetch_array($rowsresult);
$numrows = $numrows['num'];
/**** redundant/excessive
/* if ($numrows == 0) {
if ($freeze_status != 'freezed' && s('freeze_comments') != 'YES') {
echo '<p>'.l('no_comment').'</p>';
} else {
echo '<p>'.l('frozen_comments').'</p>';
}
} else {
/**** end redundant/excessive*****/
if ($numrows > 0) {
$query = 'SELECT
id,articleid,name,url,comment,time,approved
FROM ' . _PRE . 'comments' . '
WHERE articleid = ' . $_ID . '
AND approved = \'True\'
ORDER BY id ' . $comments_order . '
LIMIT ' . "{$offset}, {$comment_limit}";
$result = mysql_query($query) or die(l('dberror'));
$ordinal = 1;
$date_format = s('date_format');
$edit_link = ' <a href="' . _SITE . '?action=';
while ($r = mysql_fetch_array($result)) {
$date = date($date_format, strtotime($r['time']));
$commentNum = $offset + $ordinal;
$tag = explode(',', tags('comments'));
foreach ($tag as $tag) {
switch (true) {
case $tag == 'date':
echo '<a id="' . l('comment') . $commentNum . '"
name="' . l('comment') . $commentNum . '"></a>' . $date;
break;
case $tag == 'name':
$name = $r['name'];
echo !empty($r['url']) ? '<a href="' . $r['url'] . '" title="' . $r['url'] . '" rel="nofollow">
' . $name . '</a> ' : $name;
break;
case $tag == 'comment':
echo $r['comment'];
break;
case $tag == 'edit' && _ADMIN:
echo $edit_link . 'editcomment&commentid=' . $r['id'] . '"
title="' . l('edit') . ' ' . l('comment') . '">' . l('edit') . '</a> ';
echo $edit_link . 'process&task=deletecomment&commentid=' . $r['id'] . '"
title="' . l('delete') . ' ' . l('comment') . '" onclick="return pop()">' . l('delete') . '</a>';
break;
case $tag == 'edit':
break;
default:
echo $tag;
}
}
$ordinal++;
}
$maxPage = ceil($numrows / $comment_limit);
$back_to_page = ceil(($numrows + 1) / $comment_limit);
if ($maxPage > 1) {
paginator($pageNum, $maxPage, l('comment_pages'));
}
}
if ($freeze_status != 'freezed' && s('freeze_comments') != 'YES') {
/*added 24 jan 2009*/
if ($numrows == 0) {
echo '<p>' . l('no_comment') . '</p>';
}
// recall and set vars for reuse when botched post
if ($_SESSION[_SITE . 'comment']['fail'] == true) {
$name = $_SESSION[_SITE . 'comment']['name'];
$comment = $_SESSION[_SITE . 'comment']['comment'];
$url = $_SESSION[_SITE . 'comment']['url'];
unset($_SESSION[_SITE . 'comment']);
} else {
$url = $name = $comment = '';
}
// end var retrieval
$art_value = empty($articleSEF) ? $subcatSEF : $articleSEF;
echo '<div class="commentsbox"><h2>' . l('addcomment') . '</h2>' . "\r\n";
echo '<p>' . l('required') . '</p>' . "\r\n";
echo html_input('form', '', 'post', '', '', '', '', '', '', '', '', '', 'post', _SITE, '') . "\r\n";
echo html_input('text', 'name', 'name', $name, '* ' . l('name'), 'text', '', '', '', '', '', '', '', '', '') . "\r\n";
echo html_input('text', 'url', 'url', $url, l('url'), 'text', '', '', '', '', '', '', '', '', '') . "\r\n";
echo html_input('textarea', 'text', 'text', $comment, '* ' . l('comment'), '', '', '', '', '', '5', '5', '', '', '') . "\r\n";
echo mathCaptcha() . "\r\n";
echo '<p>';
echo html_input('hidden', 'category', 'category', $categorySEF, '', '', '', '', '', '', '', '', '', '', '') . "\r\n";
echo html_input('hidden', 'id', 'id', $_ID, '', '', '', '', '', '', '', '', '', '', '') . "\r\n";
echo html_input('hidden', 'article', 'article', $art_value, '', '', '', '', '', '', '', '', '', '', '') . "\r\n";
echo html_input('hidden', 'commentspage', 'commentspage', $back_to_page, '', '', '', '', '', '', '', '', '', '', '') . "\r\n";
echo html_input('hidden', 'ip', 'ip', $_SERVER['REMOTE_ADDR'], '', '', '', '', '', '', '', '', '', '', '') . "\r\n";
echo html_input('hidden', 'time', 'time', time(), '', '', '', '', '', '', '', '', '', '', '');
echo html_input('submit', 'comment', 'comment', l('submit'), '', 'button', '', '', '', '', '', '', '', '', '') . "\r\n";
echo '</p></form></div>';
} else {
echo '<p>' . l('frozen_comments') . '</p>';
}
}
}