function comment() { $mainframe = JFactory::getApplication(); jimport('joomla.mail.helper'); JTable::addIncludePath(JPATH_COMPONENT_ADMINISTRATOR . DS . 'tables'); $params = K2HelperUtilities::getParams('com_k2'); $user = JFactory::getUser(); $config = JFactory::getConfig(); JLoader::register('Services_JSON', JPATH_ADMINISTRATOR . DS . 'components' . DS . 'com_k2' . DS . 'lib' . DS . 'JSON.php'); $json = new Services_JSON(); $response = new JObject(); //Get item $item = JTable::getInstance('K2Item', 'Table'); $item->load(JRequest::getInt('itemID')); //Get category $category = JTable::getInstance('K2Category', 'Table'); $category->load($item->catid); //Access check if (K2_JVERSION != '15') { if (!in_array($item->access, $user->getAuthorisedViewLevels()) || !in_array($category->access, $user->getAuthorisedViewLevels())) { JError::raiseError(403, JText::_('K2_ALERTNOTAUTH')); } } else { if ($item->access > $user->get('aid', 0) || $category->access > $user->get('aid', 0)) { JError::raiseError(403, JText::_('K2_ALERTNOTAUTH')); } } //Published check if (!$item->published || $item->trash) { JError::raiseError(404, JText::_('K2_ITEM_NOT_FOUND')); } if (!$category->published || $category->trash) { JError::raiseError(404, JText::_('K2_ITEM_NOT_FOUND')); } //Check permissions if ($params->get('comments') == '2' && $user->id > 0 && K2HelperPermissions::canAddComment($item->catid) || $params->get('comments') == '1') { $row = JTable::getInstance('K2Comment', 'Table'); if (!$row->bind(JRequest::get('post'))) { $response->message($row->getError()); echo $json->encode($response); $mainframe->close(); } $row->commentText = JRequest::getString('commentText', '', 'default'); $row->commentText = strip_tags($row->commentText); //Strip a tags since all urls will be converted to links automatically on runtime. //Additionaly strip tables to avoid layout issues. //Also strip all attributes except src, alt and title. //$filter = new JFilterInput(array('a', 'table'), array('src', 'alt', 'title'), 1); //$row->commentText = $filter->clean( $row->commentText ); //Clean vars $filter = JFilterInput::getInstance(); $row->userName = $filter->clean($row->userName, 'username'); if ($row->commentURL && preg_match('/^((http|https|ftp):\\/\\/)?[a-z0-9]+([\\-\\.]{1}[a-z0-9]+)*\\.[a-z]{2,6}((:[0-9]{1,5})?\\/.*)?$/i', $row->commentURL)) { $url = preg_replace('|[^a-z0-9-~+_.?#=&;,/:]|i', '', $row->commentURL); $url = str_replace(';//', '://', $url); if ($url != '') { $url = !strstr($url, '://') ? 'http://' . $url : $url; $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url); $row->commentURL = $url; } } else { $row->commentURL = ''; } $datenow = JFactory::getDate(); $row->commentDate = K2_JVERSION == '15' ? $datenow->toMySQL() : $datenow->toSql(); if (!$user->guest) { $row->userID = $user->id; $row->commentEmail = $user->email; $row->userName = $user->name; } $userName = trim($row->userName); $commentEmail = trim($row->commentEmail); $commentText = trim($row->commentText); $commentURL = trim($row->commentURL); if (empty($userName) || $userName == JText::_('K2_ENTER_YOUR_NAME') || empty($commentText) || $commentText == JText::_('K2_ENTER_YOUR_MESSAGE_HERE') || empty($commentEmail) || $commentEmail == JText::_('K2_ENTER_YOUR_EMAIL_ADDRESS')) { $response->message = JText::_('K2_YOU_NEED_TO_FILL_IN_ALL_REQUIRED_FIELDS'); echo $json->encode($response); $mainframe->close(); } if (!JMailHelper::isEmailAddress($commentEmail)) { $response->message = JText::_('K2_INVALID_EMAIL_ADDRESS'); echo $json->encode($response); $mainframe->close(); } if ($user->guest) { $db = JFactory::getDBO(); $query = "SELECT COUNT(*) FROM #__users WHERE name=" . $db->Quote($userName) . " OR email=" . $db->Quote($commentEmail); $db->setQuery($query); $result = $db->loadresult(); if ($result > 0) { $response->message = JText::_('K2_THE_NAME_OR_EMAIL_ADDRESS_YOU_TYPED_IS_ALREADY_IN_USE'); echo $json->encode($response); $mainframe->close(); } } // Google reCAPTCHA if ($params->get('antispam') == 'recaptcha' || $params->get('antispam') == 'both') { if ($user->guest || $params->get('recaptchaForRegistered', 1)) { if (!function_exists('_recaptcha_qsencode')) { require_once JPATH_ADMINISTRATOR . DS . 'components' . DS . 'com_k2' . DS . 'lib' . DS . 'recaptchalib.php'; } $privatekey = $params->get('recaptcha_private_key'); $recaptcha_challenge_field = isset($_POST["recaptcha_challenge_field"]) ? $_POST["recaptcha_challenge_field"] : ''; $recaptcha_response_field = isset($_POST["recaptcha_response_field"]) ? $_POST["recaptcha_response_field"] : ''; $resp = recaptcha_check_answer($privatekey, $_SERVER["REMOTE_ADDR"], $recaptcha_challenge_field, $recaptcha_response_field); if (!$resp->is_valid) { $response->message = JText::_('K2_THE_WORDS_YOU_TYPED_DID_NOT_MATCH_THE_ONES_DISPLAYED_PLEASE_TRY_AGAIN'); echo $json->encode($response); $mainframe->close(); } } } // Akismet if ($params->get('antispam') == 'akismet' || $params->get('antispam') == 'both') { if ($user->guest || $params->get('akismetForRegistered', 1)) { if ($params->get('akismetApiKey')) { require_once JPATH_ADMINISTRATOR . DS . 'components' . DS . 'com_k2' . DS . 'lib' . DS . 'akismet.class.php'; $akismetApiKey = $params->get('akismetApiKey'); $akismet = new Akismet(JURI::root(false), $akismetApiKey); $akismet->setCommentAuthor($userName); $akismet->setCommentAuthorEmail($commentEmail); $akismet->setCommentAuthorURL($commentURL); $akismet->setCommentContent($commentText); $akismet->setPermalink(JURI::root(false) . 'index.php?option=com_k2&view=item&id=' . JRequest::getInt('itemID')); try { if ($akismet->isCommentSpam()) { $response->message = JText::_('K2_SPAM_ATTEMPT_HAS_BEEN_DETECTED_THE_COMMENT_HAS_BEEN_REJECTED'); echo $json->encode($response); $mainframe->close(); } } catch (Exception $e) { $response->message = $e->getMessage(); echo $json->encode($response); $mainframe->close(); } } } } if ($commentURL == JText::_('K2_ENTER_YOUR_SITE_URL') || $commentURL == "") { $row->commentURL = NULL; } else { if (substr($commentURL, 0, 7) != 'http://') { $row->commentURL = 'http://' . $commentURL; } } if ($params->get('commentsPublishing')) { $row->published = 1; } else { $row->published = 0; // Auto publish comments for users with administrative permissions if (K2_JVERSION != '15') { if ($user->authorise('core.admin')) { $row->published = 1; } } else { if ($user->gid > 23) { $row->published = 1; } } } if (!$row->store()) { $response->message = $row->getError(); echo $json->encode($response); $mainframe->close(); } if ($row->published) { $caching = K2_JVERSION == '30' ? $config->get('caching') : $config->getValue('config.caching'); if ($caching && $user->guest) { $response->message = JText::_('K2_THANK_YOU_YOUR_COMMENT_WILL_BE_PUBLISHED_SHORTLY'); echo $json->encode($response); } else { $response->message = JText::_('K2_COMMENT_ADDED_REFRESHING_PAGE'); $response->refresh = 1; echo $json->encode($response); } } else { $response->message = JText::_('K2_COMMENT_ADDED_AND_WAITING_FOR_APPROVAL'); echo $json->encode($response); } } $mainframe->close(); }