/**
* Tests adding a new comment, testing HTML cleaning.
*/
public function testHTMLCleaningAddComment()
{
global $THEUSER;
$THEUSER = new THEUSER();
$THEUSER->init(1);
$comment = new COMMENT();
$data = array('epobject_id' => 1, 'body' => "This is a test comment, including http://theyworkforyou.com <a href=\"http://theyworkforyou.com\">links</a>, <b>bold</b>, <i>italics</i>, and stray < brackets to ensure they're not stripped.\n\nIt also includes <script>alert('malicious!');</script> script tags, to ensure they are stripped correctly.\n\nIt also spans multiple lines.", 'gid' => '');
$commentId = $comment->create($data);
// A correctly inserted comment returns an integer
$this->assertInternalType('integer', $commentId);
$comment = new COMMENT($commentId);
$this->assertEquals("This is a test comment, including http://theyworkforyou.com <a href=\"http://theyworkforyou.com\">links</a>, <b>bold</b>, <i>italics</i>, and stray < brackets to ensure they're not stripped.\n\nIt also includes alert('malicious!'); script tags, to ensure they are stripped correctly.\n\nIt also spans multiple lines.", $comment->body());
}
/**
* @param COMMENT $obj
*/
protected function _echo_entry_info($obj)
{
$folder = $obj->parent_folder();
$entry = $obj->entry();
$type_info = $entry->type_info();
?>
<div class="detail">
(Attached to <?php
echo $type_info->singular_title . ' ';
echo $entry->title_as_link();
if ($this->show_folder) {
echo ' in ' . $folder->title_as_link();
}
?>
)
</div>
<?php
}
/**
* Outputs the comment as HTML.
* @param COMMENT $obj
* @access private
*/
protected function _display_as_html($obj)
{
?>
<div class="info-box-top">
<?php
$props = $obj->icon_properties();
$this->context->start_icon_container($props->icon, Fifteen_px);
$creator = $obj->creator();
if ($creator->icon_url) {
$this->context->start_icon_container($creator->icon_url, Sixteen_px);
}
?>
<?php
echo $creator->title_as_link();
?>
– <?php
echo $obj->time_created->format();
if ($obj->modified()) {
$modifier = $obj->modifier();
?>
(updated by <?php
echo $modifier->title_as_link();
?>
– <?php
echo $obj->time_modified->format();
?>
)
<?php
}
?>
</div>
<?php
if ($creator->icon_url) {
$this->context->finish_icon_container();
}
$this->context->finish_icon_container();
?>
<div class="text-flow">
<?php
echo $obj->description_as_html();
?>
</div>
<?php
}
/**
* Prepares a comment to be saved
*
* @static
*/
function prepare($comment)
{
$comment['user'] = strip_tags($comment['user']);
$comment['userid'] = strip_tags($comment['userid']);
$comment['email'] = strip_tags($comment['email']);
// remove newlines from user; remove quotes and newlines from userid and email; trim whitespace from beginning and end
$comment['user'] = trim(strtr($comment['user'], "\n", ' '));
$comment['userid'] = trim(strtr($comment['userid'], "\\'\"\n", '-- '));
$comment['email'] = trim(strtr($comment['email'], "\\'\"\n", '-- '));
// begin if: a comment userid is supplied, but does not have an "http://" or "https://" at the beginning - prepend an "http://"
if (!empty($comment['userid']) && strpos($comment['userid'], 'http://') !== 0 && strpos($comment['userid'], 'https://') !== 0) {
$comment['userid'] = 'http://' . $comment['userid'];
}
// end if
$comment['body'] = COMMENT::prepareBody($comment['body']);
return $comment;
}
/**
* @todo document this
*/
function action_commentdelete()
{
global $member, $manager;
$commentid = intRequestVar('commentid');
$member->canAlterComment($commentid) or $this->disallow();
$comment = COMMENT::getComment($commentid);
$body = strip_tags($comment['body']);
$body = htmlspecialchars(shorten($body, 300, '...'));
if ($comment['member']) {
$author = $comment['member'];
} else {
$author = $comment['user'];
}
$this->pagehead();
?>
<h2><?php
echo _DELETE_CONFIRM;
?>
</h2>
<p><?php
echo _CONFIRMTXT_COMMENT;
?>
</p>
<div class="note">
<b><?php
echo _EDITC_WHO;
?>
:</b> <?php
echo $author;
?>
<br />
<b><?php
echo _EDITC_TEXT;
?>
:</b> <?php
echo $body;
?>
</div>
<form method="post" action="index.php"><div>
<input type="hidden" name="action" value="commentdeleteconfirm" />
<?php
$manager->addTicketHidden();
?>
<input type="hidden" name="commentid" value="<?php
echo $commentid;
?>
" />
<input type="submit" tabindex="10" value="<?php
echo _DELETE_CONFIRM_BTN;
?>
" />
</div></form>
<?php
$this->pagefoot();
}
// where rid is a report_id and cid is a comment_id.
include_once '../../includes/easyparliament/init.php';
include_once INCLUDESPATH . "easyparliament/commentreport.php";
$this_page = "admin_commentreport";
$PAGE->page_start();
$PAGE->stripe_start();
$menu = $PAGE->admin_menu();
//////////////////////////////////////////////////////////////////////////////////
// Set up the variables and objects we'll need on this page.
$report_id = get_http_var('rid');
$comment_id = get_http_var('cid');
if (!is_numeric($report_id) || !is_numeric($comment_id)) {
// Exit.
trigger_error("We need valid comment and report IDs.", E_USER_ERROR);
}
$COMMENT = new COMMENT($comment_id);
if ($COMMENT->exists() == false) {
// Exit.
trigger_error("This is an invalid comment ID", E_USER_ERROR);
}
$REPORT = new COMMENTREPORT($report_id);
$FORMURL = new URL($this_page);
//////////////////////////////////////////////////////////////////////////////////
// Check that the user is allowed to take action, and this report isn't locked.
if ($REPORT->locked() && $REPORT->lockedby() != $THEUSER->user_id()) {
print "<p><strong>Someone else was examining this report at " . $REPORT->locked() . " so you can only look at it, not take any action. You could try again in a few minutes.</strong></p>\n";
$COMMENT->display();
$REPORT->display();
$PAGE->stripe_end(array(array('type' => 'html', 'content' => $menu)));
$PAGE->page_end();
exit;
/**
* Adds a new comment to the database
* @param string $timestamp
* @param array $comment
* @return mixed
*/
function addComment($timestamp, $comment)
{
global $CONF, $member, $manager;
$blogid = getBlogIDFromItemID($this->itemid);
$settings =& $manager->getBlog($blogid);
$settings->readSettings();
// begin if: comments disabled
if (!$settings->commentsEnabled()) {
return _ERROR_COMMENTS_DISABLED;
}
// end if
// begin if: public cannot comment
if (!$settings->isPublic() && !$member->isLoggedIn()) {
return _ERROR_COMMENTS_NONPUBLIC;
}
// end if
// begin if: comment uses a protected member name
if ($CONF['ProtectMemNames'] && !$member->isLoggedIn() && MEMBER::isNameProtected($comment['user'])) {
return _ERROR_COMMENTS_MEMBERNICK;
}
// end if
// begin if: email required, but missing (doesn't apply to members)
if ($settings->emailRequired() && strlen($comment['email']) == 0 && !$member->isLoggedIn()) {
return _ERROR_EMAIL_REQUIRED;
}
// end if
## Note usage of mb_strlen() vs strlen() below ##
// begin if: commenter's name is too long
if (mb_strlen($comment['user']) > 40) {
return _ERROR_USER_TOO_LONG;
}
// end if
// begin if: commenter's email is too long
if (mb_strlen($comment['email']) > 100) {
return _ERROR_EMAIL_TOO_LONG;
}
// end if
// begin if: commenter's url is too long
if (mb_strlen($comment['userid']) > 100) {
return _ERROR_URL_TOO_LONG;
}
// end if
$comment['timestamp'] = $timestamp;
$comment['host'] = gethostbyaddr(serverVar('REMOTE_ADDR'));
$comment['ip'] = serverVar('REMOTE_ADDR');
// begin if: member is logged in, use that data
if ($member->isLoggedIn()) {
$comment['memberid'] = $member->getID();
$comment['user'] = '';
$comment['userid'] = '';
$comment['email'] = '';
} else {
$comment['memberid'] = 0;
}
// spam check
$continue = FALSE;
$plugins = array();
if (isset($manager->subscriptions['ValidateForm'])) {
$plugins = array_merge($plugins, $manager->subscriptions['ValidateForm']);
}
if (isset($manager->subscriptions['PreAddComment'])) {
$plugins = array_merge($plugins, $manager->subscriptions['PreAddComment']);
}
if (isset($manager->subscriptions['PostAddComment'])) {
$plugins = array_merge($plugins, $manager->subscriptions['PostAddComment']);
}
$plugins = array_unique($plugins);
while (list(, $plugin) = each($plugins)) {
$p = $manager->getPlugin($plugin);
$continue = $continue || $p->supportsFeature('handleSpam');
}
$spamcheck = array('type' => 'comment', 'body' => $comment['body'], 'id' => $comment['itemid'], 'live' => TRUE, 'return' => $continue);
// begin if: member logged in
if ($member->isLoggedIn()) {
$spamcheck['author'] = $member->displayname;
$spamcheck['email'] = $member->email;
} else {
$spamcheck['author'] = $comment['user'];
$spamcheck['email'] = $comment['email'];
$spamcheck['url'] = $comment['userid'];
}
// end if
$manager->notify('SpamCheck', array('spamcheck' => &$spamcheck));
if (!$continue && isset($spamcheck['result']) && $spamcheck['result'] == TRUE) {
return _ERROR_COMMENTS_SPAM;
}
// isValidComment returns either "1" or an error message
$isvalid = $this->isValidComment($comment, $spamcheck);
if ($isvalid != 1) {
return $isvalid;
}
// begin if: send email to notification address
if ($settings->getNotifyAddress() && $settings->notifyOnComment()) {
$mailto_msg = _NOTIFY_NC_MSG . ' ' . $this->itemid . "\n";
// $mailto_msg .= $CONF['IndexURL'] . 'index.php?itemid=' . $this->itemid . "\n\n";
$temp = parse_url($CONF['Self']);
if ($temp['scheme']) {
$mailto_msg .= createItemLink($this->itemid) . "\n\n";
} else {
$tempurl = $settings->getURL();
if (substr($tempurl, -1) == '/' || substr($tempurl, -4) == '.php') {
$mailto_msg .= $tempurl . '?itemid=' . $this->itemid . "\n\n";
} else {
$mailto_msg .= $tempurl . '/?itemid=' . $this->itemid . "\n\n";
}
}
if ($comment['memberid'] == 0) {
$mailto_msg .= _NOTIFY_USER . ' ' . $comment['user'] . "\n";
$mailto_msg .= _NOTIFY_USERID . ' ' . $comment['userid'] . "\n";
} else {
$mailto_msg .= _NOTIFY_MEMBER . ' ' . $member->getDisplayName() . ' (ID=' . $member->getID() . ")\n";
}
$mailto_msg .= _NOTIFY_HOST . ' ' . $comment['host'] . "\n";
$mailto_msg .= _NOTIFY_COMMENT . "\n " . $comment['body'] . "\n";
$mailto_msg .= getMailFooter();
$item =& $manager->getItem($this->itemid, 0, 0);
$mailto_title = _NOTIFY_NC_TITLE . ' ' . strip_tags($item['title']) . ' (' . $this->itemid . ')';
$frommail = $member->getNotifyFromMailAddress($comment['email']);
$notify =& new NOTIFICATION($settings->getNotifyAddress());
$notify->notify($mailto_title, $mailto_msg, $frommail);
}
$comment = COMMENT::prepare($comment);
$manager->notify('PreAddComment', array('comment' => &$comment, 'spamcheck' => &$spamcheck));
$name = sql_real_escape_string($comment['user']);
$url = sql_real_escape_string($comment['userid']);
$email = sql_real_escape_string($comment['email']);
$body = sql_real_escape_string($comment['body']);
$host = sql_real_escape_string($comment['host']);
$ip = sql_real_escape_string($comment['ip']);
$memberid = intval($comment['memberid']);
$timestamp = date('Y-m-d H:i:s', $comment['timestamp']);
$itemid = $this->itemid;
$qSql = 'SELECT COUNT(*) AS result ' . 'FROM ' . sql_table('comment') . ' WHERE ' . 'cmail = "' . $url . '"' . ' AND cmember = "' . $memberid . '"' . ' AND cbody = "' . $body . '"' . ' AND citem = "' . $itemid . '"' . ' AND cblog = "' . $blogid . '"';
$result = (int) quickQuery($qSql);
if ($result > 0) {
return _ERROR_BADACTION;
}
$query = 'INSERT INTO ' . sql_table('comment') . ' (CUSER, CMAIL, CEMAIL, CMEMBER, CBODY, CITEM, CTIME, CHOST, CIP, CBLOG) ' . "VALUES ('{$name}', '{$url}', '{$email}', {$memberid}, '{$body}', {$itemid}, '{$timestamp}', '{$host}', '{$ip}', '{$blogid}')";
sql_query($query);
// post add comment
$commentid = sql_insert_id();
$manager->notify('PostAddComment', array('comment' => &$comment, 'commentid' => &$commentid, 'spamcheck' => &$spamcheck));
// succeeded !
return TRUE;
}
<?php
include_once "../../includes/easyparliament/init.php";
$this_page = "addcomment";
// For previewing and adding a comment.
// We should have post args of 'body' and 'epobject_id'.
if (get_http_var("submitcomment") != '') {
// We're submitting a comment.
$data = array('epobject_id' => get_http_var('epobject_id'), 'body' => get_http_var('body'));
$COMMENT = new COMMENT();
$success = $COMMENT->create($data);
if ($success) {
// $success will be the last_insert_id().
// Redirect user to the location of their new comment.
// 'return_page' will be something like 'debate', so we know what page
// to return to.
$URL = new URL(get_http_var('return_page'));
// That c=blah we're putting on the URL does nothing on the page,
// BUT it makes picky browsers like Opera think it's a whole new page
// so it reloads it, rather than being clever and thinking no refresh
// is required.
$URL->insert(array('id' => get_http_var('gid'), 'c' => $success));
header("Location: http://" . DOMAIN . $URL->generate('none') . "#c" . $success);
exit;
} else {
// Else, $COMMENT will have printed an error message.
$PAGE->page_end();
}
} else {
// We're previewing a comment.
$PAGE->page_start();
<?php
// For when a user reports a comment.
$this_page = "commentreport";
include_once "../../includes/easyparliament/init.php";
include_once INCLUDESPATH . "easyparliament/commentreport.php";
$PAGE->page_start();
$PAGE->stripe_start();
if (is_numeric(get_http_var('id'))) {
// We have the id of a comment to report.
$comment_id = get_http_var('id');
$COMMENT = new COMMENT($comment_id);
if ($COMMENT->exists() == false || !$COMMENT->visible()) {
// This comment id didn't exist in the DB.
trigger_error("There is no comment with an ID of '" . htmlentities($comment_id) . "'.", E_USER_NOTICE);
}
// OK, we've got a valid comment ID.
if (get_http_var('submitted') == true) {
// The form has been submitted.
$errors = array();
if (get_http_var('body') == '') {
$errors['body'] = "Please enter a reason why you think this comment is not appropriate.";
}
if (preg_match('#http://|\\[url#', get_http_var('body'))) {
$errors['body'] = 'Please do not give any web links in the report body.';
}
if (!$THEUSER->isloggedin()) {
if (get_http_var('firstname') == '' || get_http_var('lastname') == '') {
$errors['name'] = "Please let us know who you are!";
}
if (get_http_var('em') == '') {
/**
* Called from {@link _prepare_object()}.
* @param COMMENT $obj
* @param ENTRY $entry
* @access private
*/
protected function _attach_entry_to_object($obj, $entry)
{
$obj->set_entry($entry);
}
/**
* @return COMMENT[]
* @param COMMENT $obj
* @access private
*/
protected function _obj_sub_objects($obj)
{
return $obj->sub_comments();
}
/**
* @param SUBSCRIBER $subscriber
* @param COMMENT $obj
* @param integer[] $kinds
* @param OBJECT_RENDERER_OPTIONS $options
*/
protected function _display($obj, $subscriber, $kinds, $options)
{
$this->show_subscription($subscriber, $obj->parent_folder(), 'subscribe_to_folder.php', in_array(Subscribe_folder, $kinds), true, '');
$this->show_subscription($subscriber, $obj->entry(), 'subscribe_to_entry.php', in_array(Subscribe_entry, $kinds), true, '');
$this->show_subscription($subscriber, $obj, 'subscribe_to_comment.php', in_array(Subscribe_comment, $kinds), false, '');
$this->show_subscription($subscriber, $obj->creator(), 'subscribe_to_user.php', in_array(Subscribe_user, $kinds), true, 'creator');
}
