/** * Tests adding a new comment, testing HTML cleaning. */ public function testHTMLCleaningAddComment() { global $THEUSER; $THEUSER = new THEUSER(); $THEUSER->init(1); $comment = new COMMENT(); $data = array('epobject_id' => 1, 'body' => "This is a test comment, including http://theyworkforyou.com <a href=\"http://theyworkforyou.com\">links</a>, <b>bold</b>, <i>italics</i>, and stray < brackets to ensure they're not stripped.\n\nIt also includes <script>alert('malicious!');</script> script tags, to ensure they are stripped correctly.\n\nIt also spans multiple lines.", 'gid' => ''); $commentId = $comment->create($data); // A correctly inserted comment returns an integer $this->assertInternalType('integer', $commentId); $comment = new COMMENT($commentId); $this->assertEquals("This is a test comment, including http://theyworkforyou.com <a href=\"http://theyworkforyou.com\">links</a>, <b>bold</b>, <i>italics</i>, and stray < brackets to ensure they're not stripped.\n\nIt also includes alert('malicious!'); script tags, to ensure they are stripped correctly.\n\nIt also spans multiple lines.", $comment->body()); }
/** * @param COMMENT $obj */ protected function _echo_entry_info($obj) { $folder = $obj->parent_folder(); $entry = $obj->entry(); $type_info = $entry->type_info(); ?> <div class="detail"> (Attached to <?php echo $type_info->singular_title . ' '; echo $entry->title_as_link(); if ($this->show_folder) { echo ' in ' . $folder->title_as_link(); } ?> ) </div> <?php }
/** * Outputs the comment as HTML. * @param COMMENT $obj * @access private */ protected function _display_as_html($obj) { ?> <div class="info-box-top"> <?php $props = $obj->icon_properties(); $this->context->start_icon_container($props->icon, Fifteen_px); $creator = $obj->creator(); if ($creator->icon_url) { $this->context->start_icon_container($creator->icon_url, Sixteen_px); } ?> <?php echo $creator->title_as_link(); ?> – <?php echo $obj->time_created->format(); if ($obj->modified()) { $modifier = $obj->modifier(); ?> (updated by <?php echo $modifier->title_as_link(); ?> – <?php echo $obj->time_modified->format(); ?> ) <?php } ?> </div> <?php if ($creator->icon_url) { $this->context->finish_icon_container(); } $this->context->finish_icon_container(); ?> <div class="text-flow"> <?php echo $obj->description_as_html(); ?> </div> <?php }
/** * Prepares a comment to be saved * * @static */ function prepare($comment) { $comment['user'] = strip_tags($comment['user']); $comment['userid'] = strip_tags($comment['userid']); $comment['email'] = strip_tags($comment['email']); // remove newlines from user; remove quotes and newlines from userid and email; trim whitespace from beginning and end $comment['user'] = trim(strtr($comment['user'], "\n", ' ')); $comment['userid'] = trim(strtr($comment['userid'], "\\'\"\n", '-- ')); $comment['email'] = trim(strtr($comment['email'], "\\'\"\n", '-- ')); // begin if: a comment userid is supplied, but does not have an "http://" or "https://" at the beginning - prepend an "http://" if (!empty($comment['userid']) && strpos($comment['userid'], 'http://') !== 0 && strpos($comment['userid'], 'https://') !== 0) { $comment['userid'] = 'http://' . $comment['userid']; } // end if $comment['body'] = COMMENT::prepareBody($comment['body']); return $comment; }
/** * @todo document this */ function action_commentdelete() { global $member, $manager; $commentid = intRequestVar('commentid'); $member->canAlterComment($commentid) or $this->disallow(); $comment = COMMENT::getComment($commentid); $body = strip_tags($comment['body']); $body = htmlspecialchars(shorten($body, 300, '...')); if ($comment['member']) { $author = $comment['member']; } else { $author = $comment['user']; } $this->pagehead(); ?> <h2><?php echo _DELETE_CONFIRM; ?> </h2> <p><?php echo _CONFIRMTXT_COMMENT; ?> </p> <div class="note"> <b><?php echo _EDITC_WHO; ?> :</b> <?php echo $author; ?> <br /> <b><?php echo _EDITC_TEXT; ?> :</b> <?php echo $body; ?> </div> <form method="post" action="index.php"><div> <input type="hidden" name="action" value="commentdeleteconfirm" /> <?php $manager->addTicketHidden(); ?> <input type="hidden" name="commentid" value="<?php echo $commentid; ?> " /> <input type="submit" tabindex="10" value="<?php echo _DELETE_CONFIRM_BTN; ?> " /> </div></form> <?php $this->pagefoot(); }
// where rid is a report_id and cid is a comment_id. include_once '../../includes/easyparliament/init.php'; include_once INCLUDESPATH . "easyparliament/commentreport.php"; $this_page = "admin_commentreport"; $PAGE->page_start(); $PAGE->stripe_start(); $menu = $PAGE->admin_menu(); ////////////////////////////////////////////////////////////////////////////////// // Set up the variables and objects we'll need on this page. $report_id = get_http_var('rid'); $comment_id = get_http_var('cid'); if (!is_numeric($report_id) || !is_numeric($comment_id)) { // Exit. trigger_error("We need valid comment and report IDs.", E_USER_ERROR); } $COMMENT = new COMMENT($comment_id); if ($COMMENT->exists() == false) { // Exit. trigger_error("This is an invalid comment ID", E_USER_ERROR); } $REPORT = new COMMENTREPORT($report_id); $FORMURL = new URL($this_page); ////////////////////////////////////////////////////////////////////////////////// // Check that the user is allowed to take action, and this report isn't locked. if ($REPORT->locked() && $REPORT->lockedby() != $THEUSER->user_id()) { print "<p><strong>Someone else was examining this report at " . $REPORT->locked() . " so you can only look at it, not take any action. You could try again in a few minutes.</strong></p>\n"; $COMMENT->display(); $REPORT->display(); $PAGE->stripe_end(array(array('type' => 'html', 'content' => $menu))); $PAGE->page_end(); exit;
/** * Adds a new comment to the database * @param string $timestamp * @param array $comment * @return mixed */ function addComment($timestamp, $comment) { global $CONF, $member, $manager; $blogid = getBlogIDFromItemID($this->itemid); $settings =& $manager->getBlog($blogid); $settings->readSettings(); // begin if: comments disabled if (!$settings->commentsEnabled()) { return _ERROR_COMMENTS_DISABLED; } // end if // begin if: public cannot comment if (!$settings->isPublic() && !$member->isLoggedIn()) { return _ERROR_COMMENTS_NONPUBLIC; } // end if // begin if: comment uses a protected member name if ($CONF['ProtectMemNames'] && !$member->isLoggedIn() && MEMBER::isNameProtected($comment['user'])) { return _ERROR_COMMENTS_MEMBERNICK; } // end if // begin if: email required, but missing (doesn't apply to members) if ($settings->emailRequired() && strlen($comment['email']) == 0 && !$member->isLoggedIn()) { return _ERROR_EMAIL_REQUIRED; } // end if ## Note usage of mb_strlen() vs strlen() below ## // begin if: commenter's name is too long if (mb_strlen($comment['user']) > 40) { return _ERROR_USER_TOO_LONG; } // end if // begin if: commenter's email is too long if (mb_strlen($comment['email']) > 100) { return _ERROR_EMAIL_TOO_LONG; } // end if // begin if: commenter's url is too long if (mb_strlen($comment['userid']) > 100) { return _ERROR_URL_TOO_LONG; } // end if $comment['timestamp'] = $timestamp; $comment['host'] = gethostbyaddr(serverVar('REMOTE_ADDR')); $comment['ip'] = serverVar('REMOTE_ADDR'); // begin if: member is logged in, use that data if ($member->isLoggedIn()) { $comment['memberid'] = $member->getID(); $comment['user'] = ''; $comment['userid'] = ''; $comment['email'] = ''; } else { $comment['memberid'] = 0; } // spam check $continue = FALSE; $plugins = array(); if (isset($manager->subscriptions['ValidateForm'])) { $plugins = array_merge($plugins, $manager->subscriptions['ValidateForm']); } if (isset($manager->subscriptions['PreAddComment'])) { $plugins = array_merge($plugins, $manager->subscriptions['PreAddComment']); } if (isset($manager->subscriptions['PostAddComment'])) { $plugins = array_merge($plugins, $manager->subscriptions['PostAddComment']); } $plugins = array_unique($plugins); while (list(, $plugin) = each($plugins)) { $p = $manager->getPlugin($plugin); $continue = $continue || $p->supportsFeature('handleSpam'); } $spamcheck = array('type' => 'comment', 'body' => $comment['body'], 'id' => $comment['itemid'], 'live' => TRUE, 'return' => $continue); // begin if: member logged in if ($member->isLoggedIn()) { $spamcheck['author'] = $member->displayname; $spamcheck['email'] = $member->email; } else { $spamcheck['author'] = $comment['user']; $spamcheck['email'] = $comment['email']; $spamcheck['url'] = $comment['userid']; } // end if $manager->notify('SpamCheck', array('spamcheck' => &$spamcheck)); if (!$continue && isset($spamcheck['result']) && $spamcheck['result'] == TRUE) { return _ERROR_COMMENTS_SPAM; } // isValidComment returns either "1" or an error message $isvalid = $this->isValidComment($comment, $spamcheck); if ($isvalid != 1) { return $isvalid; } // begin if: send email to notification address if ($settings->getNotifyAddress() && $settings->notifyOnComment()) { $mailto_msg = _NOTIFY_NC_MSG . ' ' . $this->itemid . "\n"; // $mailto_msg .= $CONF['IndexURL'] . 'index.php?itemid=' . $this->itemid . "\n\n"; $temp = parse_url($CONF['Self']); if ($temp['scheme']) { $mailto_msg .= createItemLink($this->itemid) . "\n\n"; } else { $tempurl = $settings->getURL(); if (substr($tempurl, -1) == '/' || substr($tempurl, -4) == '.php') { $mailto_msg .= $tempurl . '?itemid=' . $this->itemid . "\n\n"; } else { $mailto_msg .= $tempurl . '/?itemid=' . $this->itemid . "\n\n"; } } if ($comment['memberid'] == 0) { $mailto_msg .= _NOTIFY_USER . ' ' . $comment['user'] . "\n"; $mailto_msg .= _NOTIFY_USERID . ' ' . $comment['userid'] . "\n"; } else { $mailto_msg .= _NOTIFY_MEMBER . ' ' . $member->getDisplayName() . ' (ID=' . $member->getID() . ")\n"; } $mailto_msg .= _NOTIFY_HOST . ' ' . $comment['host'] . "\n"; $mailto_msg .= _NOTIFY_COMMENT . "\n " . $comment['body'] . "\n"; $mailto_msg .= getMailFooter(); $item =& $manager->getItem($this->itemid, 0, 0); $mailto_title = _NOTIFY_NC_TITLE . ' ' . strip_tags($item['title']) . ' (' . $this->itemid . ')'; $frommail = $member->getNotifyFromMailAddress($comment['email']); $notify =& new NOTIFICATION($settings->getNotifyAddress()); $notify->notify($mailto_title, $mailto_msg, $frommail); } $comment = COMMENT::prepare($comment); $manager->notify('PreAddComment', array('comment' => &$comment, 'spamcheck' => &$spamcheck)); $name = sql_real_escape_string($comment['user']); $url = sql_real_escape_string($comment['userid']); $email = sql_real_escape_string($comment['email']); $body = sql_real_escape_string($comment['body']); $host = sql_real_escape_string($comment['host']); $ip = sql_real_escape_string($comment['ip']); $memberid = intval($comment['memberid']); $timestamp = date('Y-m-d H:i:s', $comment['timestamp']); $itemid = $this->itemid; $qSql = 'SELECT COUNT(*) AS result ' . 'FROM ' . sql_table('comment') . ' WHERE ' . 'cmail = "' . $url . '"' . ' AND cmember = "' . $memberid . '"' . ' AND cbody = "' . $body . '"' . ' AND citem = "' . $itemid . '"' . ' AND cblog = "' . $blogid . '"'; $result = (int) quickQuery($qSql); if ($result > 0) { return _ERROR_BADACTION; } $query = 'INSERT INTO ' . sql_table('comment') . ' (CUSER, CMAIL, CEMAIL, CMEMBER, CBODY, CITEM, CTIME, CHOST, CIP, CBLOG) ' . "VALUES ('{$name}', '{$url}', '{$email}', {$memberid}, '{$body}', {$itemid}, '{$timestamp}', '{$host}', '{$ip}', '{$blogid}')"; sql_query($query); // post add comment $commentid = sql_insert_id(); $manager->notify('PostAddComment', array('comment' => &$comment, 'commentid' => &$commentid, 'spamcheck' => &$spamcheck)); // succeeded ! return TRUE; }
<?php include_once "../../includes/easyparliament/init.php"; $this_page = "addcomment"; // For previewing and adding a comment. // We should have post args of 'body' and 'epobject_id'. if (get_http_var("submitcomment") != '') { // We're submitting a comment. $data = array('epobject_id' => get_http_var('epobject_id'), 'body' => get_http_var('body')); $COMMENT = new COMMENT(); $success = $COMMENT->create($data); if ($success) { // $success will be the last_insert_id(). // Redirect user to the location of their new comment. // 'return_page' will be something like 'debate', so we know what page // to return to. $URL = new URL(get_http_var('return_page')); // That c=blah we're putting on the URL does nothing on the page, // BUT it makes picky browsers like Opera think it's a whole new page // so it reloads it, rather than being clever and thinking no refresh // is required. $URL->insert(array('id' => get_http_var('gid'), 'c' => $success)); header("Location: http://" . DOMAIN . $URL->generate('none') . "#c" . $success); exit; } else { // Else, $COMMENT will have printed an error message. $PAGE->page_end(); } } else { // We're previewing a comment. $PAGE->page_start();
<?php // For when a user reports a comment. $this_page = "commentreport"; include_once "../../includes/easyparliament/init.php"; include_once INCLUDESPATH . "easyparliament/commentreport.php"; $PAGE->page_start(); $PAGE->stripe_start(); if (is_numeric(get_http_var('id'))) { // We have the id of a comment to report. $comment_id = get_http_var('id'); $COMMENT = new COMMENT($comment_id); if ($COMMENT->exists() == false || !$COMMENT->visible()) { // This comment id didn't exist in the DB. trigger_error("There is no comment with an ID of '" . htmlentities($comment_id) . "'.", E_USER_NOTICE); } // OK, we've got a valid comment ID. if (get_http_var('submitted') == true) { // The form has been submitted. $errors = array(); if (get_http_var('body') == '') { $errors['body'] = "Please enter a reason why you think this comment is not appropriate."; } if (preg_match('#http://|\\[url#', get_http_var('body'))) { $errors['body'] = 'Please do not give any web links in the report body.'; } if (!$THEUSER->isloggedin()) { if (get_http_var('firstname') == '' || get_http_var('lastname') == '') { $errors['name'] = "Please let us know who you are!"; } if (get_http_var('em') == '') {
/** * Called from {@link _prepare_object()}. * @param COMMENT $obj * @param ENTRY $entry * @access private */ protected function _attach_entry_to_object($obj, $entry) { $obj->set_entry($entry); }
/** * @return COMMENT[] * @param COMMENT $obj * @access private */ protected function _obj_sub_objects($obj) { return $obj->sub_comments(); }
/** * @param SUBSCRIBER $subscriber * @param COMMENT $obj * @param integer[] $kinds * @param OBJECT_RENDERER_OPTIONS $options */ protected function _display($obj, $subscriber, $kinds, $options) { $this->show_subscription($subscriber, $obj->parent_folder(), 'subscribe_to_folder.php', in_array(Subscribe_folder, $kinds), true, ''); $this->show_subscription($subscriber, $obj->entry(), 'subscribe_to_entry.php', in_array(Subscribe_entry, $kinds), true, ''); $this->show_subscription($subscriber, $obj, 'subscribe_to_comment.php', in_array(Subscribe_comment, $kinds), false, ''); $this->show_subscription($subscriber, $obj->creator(), 'subscribe_to_user.php', in_array(Subscribe_user, $kinds), true, 'creator'); }