/** * Add a form to create new comments * * @param FrontendTemplate|object $objTemplate * @param \stdClass $objConfig * @param string $strSource * @param integer $intParent * @param mixed $varNotifies */ protected function renderCommentForm(FrontendTemplate $objTemplate, \stdClass $objConfig, $strSource, $intParent, $varNotifies) { $this->import('FrontendUser', 'User'); // Access control if ($objConfig->requireLogin && !FE_USER_LOGGED_IN) { $objTemplate->requireLogin = true; $objTemplate->login = $GLOBALS['TL_LANG']['MSC']['com_login']; return; } // Confirm or remove a subscription if (\Input::get('token')) { static::changeSubscriptionStatus($objTemplate); return; } // Form fields $arrFields = array('name' => array('name' => 'name', 'label' => $GLOBALS['TL_LANG']['MSC']['com_name'], 'value' => trim($this->User->firstname . ' ' . $this->User->lastname), 'inputType' => 'text', 'eval' => array('mandatory' => true, 'maxlength' => 64)), 'email' => array('name' => 'email', 'label' => $GLOBALS['TL_LANG']['MSC']['com_email'], 'value' => $this->User->email, 'inputType' => 'text', 'eval' => array('rgxp' => 'email', 'mandatory' => true, 'maxlength' => 128, 'decodeEntities' => true)), 'website' => array('name' => 'website', 'label' => $GLOBALS['TL_LANG']['MSC']['com_website'], 'inputType' => 'text', 'eval' => array('rgxp' => 'url', 'maxlength' => 128, 'decodeEntities' => true))); // Captcha if (!$objConfig->disableCaptcha) { $arrFields['captcha'] = array('name' => 'captcha', 'label' => $GLOBALS['TL_LANG']['MSC']['securityQuestion'], 'inputType' => 'captcha', 'eval' => array('mandatory' => true)); } // Comment field $arrFields['comment'] = array('name' => 'comment', 'label' => $GLOBALS['TL_LANG']['MSC']['com_comment'], 'inputType' => 'textarea', 'eval' => array('mandatory' => true, 'rows' => 4, 'cols' => 40, 'preserveTags' => true)); // Notify me of new comments $arrFields['notify'] = array('name' => 'notify', 'label' => '', 'inputType' => 'checkbox', 'options' => array(1 => $GLOBALS['TL_LANG']['MSC']['com_notify'])); $doNotSubmit = false; $arrWidgets = array(); $strFormId = 'com_' . $strSource . '_' . $intParent; // Initialize the widgets foreach ($arrFields as $arrField) { /** @var Widget $strClass */ $strClass = $GLOBALS['TL_FFL'][$arrField['inputType']]; // Continue if the class is not defined if (!class_exists($strClass)) { continue; } $arrField['eval']['required'] = $arrField['eval']['mandatory']; /** @var Widget $objWidget */ $objWidget = new $strClass($strClass::getAttributesFromDca($arrField, $arrField['name'], $arrField['value'])); // Validate the widget if (\Input::post('FORM_SUBMIT') == $strFormId) { $objWidget->validate(); if ($objWidget->hasErrors()) { $doNotSubmit = true; } } $arrWidgets[$arrField['name']] = $objWidget; } $objTemplate->fields = $arrWidgets; $objTemplate->submit = $GLOBALS['TL_LANG']['MSC']['com_submit']; $objTemplate->action = ampersand(\Environment::get('request')); $objTemplate->messages = ''; // Deprecated since Contao 4.0, to be removed in Contao 5.0 $objTemplate->formId = $strFormId; $objTemplate->hasError = $doNotSubmit; // Do not index or cache the page with the confirmation message if ($_SESSION['TL_COMMENT_ADDED']) { /** @var PageModel $objPage */ global $objPage; $objPage->noSearch = 1; $objPage->cache = 0; $objTemplate->confirm = $GLOBALS['TL_LANG']['MSC']['com_confirm']; $_SESSION['TL_COMMENT_ADDED'] = false; } // Store the comment if (!$doNotSubmit && \Input::post('FORM_SUBMIT') == $strFormId) { $strWebsite = $arrWidgets['website']->value; // Add http:// to the website if ($strWebsite != '' && !preg_match('@^(https?://|ftp://|mailto:|#)@i', $strWebsite)) { $strWebsite = 'http://' . $strWebsite; } // Do not parse any tags in the comment $strComment = \StringUtil::specialchars(trim($arrWidgets['comment']->value)); $strComment = str_replace(array('&', '<', '>'), array('[&]', '[lt]', '[gt]'), $strComment); // Remove multiple line feeds $strComment = preg_replace('@\\n\\n+@', "\n\n", $strComment); // Parse BBCode if ($objConfig->bbcode) { $strComment = $this->parseBbCode($strComment); } // Prevent cross-site request forgeries $strComment = preg_replace('/(href|src|on[a-z]+)="[^"]*(contao\\/main\\.php|typolight\\/main\\.php|javascript|vbscri?pt|script|alert|document|cookie|window)[^"]*"+/i', '$1="#"', $strComment); $time = time(); // Prepare the record $arrSet = array('tstamp' => $time, 'source' => $strSource, 'parent' => $intParent, 'name' => $arrWidgets['name']->value, 'email' => $arrWidgets['email']->value, 'website' => $strWebsite, 'comment' => $this->convertLineFeeds($strComment), 'ip' => $this->anonymizeIp(\Environment::get('ip')), 'date' => $time, 'published' => $objConfig->moderate ? '' : 1); // Store the comment $objComment = new \CommentsModel(); $objComment->setRow($arrSet)->save(); // Store the subscription if ($arrWidgets['notify']->value) { static::addCommentsSubscription($objComment); } // HOOK: add custom logic if (isset($GLOBALS['TL_HOOKS']['addComment']) && is_array($GLOBALS['TL_HOOKS']['addComment'])) { foreach ($GLOBALS['TL_HOOKS']['addComment'] as $callback) { $this->import($callback[0]); $this->{$callback[0]}->{$callback[1]}($objComment->id, $arrSet, $this); } } // Prepare the notification mail $objEmail = new \Email(); $objEmail->from = $GLOBALS['TL_ADMIN_EMAIL']; $objEmail->fromName = $GLOBALS['TL_ADMIN_NAME']; $objEmail->subject = sprintf($GLOBALS['TL_LANG']['MSC']['com_subject'], \Idna::decode(\Environment::get('host'))); // Convert the comment to plain text $strComment = strip_tags($strComment); $strComment = \StringUtil::decodeEntities($strComment); $strComment = str_replace(array('[&]', '[lt]', '[gt]'), array('&', '<', '>'), $strComment); // Add the comment details $objEmail->text = sprintf($GLOBALS['TL_LANG']['MSC']['com_message'], $arrSet['name'] . ' (' . $arrSet['email'] . ')', $strComment, \Idna::decode(\Environment::get('base')) . \Environment::get('request'), \Idna::decode(\Environment::get('base')) . 'contao?do=comments&act=edit&id=' . $objComment->id); // Add a moderation hint to the e-mail (see #7478) if ($objConfig->moderate) { $objEmail->text .= "\n" . $GLOBALS['TL_LANG']['MSC']['com_moderated'] . "\n"; } // Do not send notifications twice if (is_array($varNotifies)) { $objEmail->sendTo(array_unique($varNotifies)); } elseif ($varNotifies != '') { $objEmail->sendTo($varNotifies); // see #5443 } // Pending for approval if ($objConfig->moderate) { $_SESSION['TL_COMMENT_ADDED'] = true; } else { static::notifyCommentsSubscribers($objComment); } $this->reload(); } }