/inc/bx/filters/formwizard/methods/blogcomment.php
PHP | 329 lines | 271 code | 28 blank | 30 comment | 31 complexity | 57877b218de721ef850ea4eb8ad82c35 MD5 | raw file
Possible License(s): GPL-2.0, BSD-3-Clause, Apache-2.0, LGPL-2.1
- <?php
- class bxfw_blogcomment {
-
- private $allowedTags = array('b','i','a','ul','li','ol','pre','blockquote','br','p');
-
- private $knownspammers = array();
-
- private $tidyOptions = array(
- "output-xhtml" => true,
- "show-body-only" => true,
-
- "clean" => true,
- "wrap" => "350",
- "indent" => true,
- "indent-spaces" => 1,
- "ascii-chars" => false,
- "wrap-attributes" => false,
- "alt-text" => "",
- "doctype" => "loose",
- "numeric-entities" => true,
- "drop-proprietary-attributes" => true
- );
- public function __construct($fw) {
- $this->parent = $fw;
- }
-
- function emailFields($emailBodyID = '') {
- // not needed anymore;
- return true;
-
- $timezone = bx_helpers_config::getTimezoneAsSeconds();
-
- $fields = $this->parent->getFields();
-
- $isok = false;
- //add some more fields and clean some others
- $fields['remote_ip'] = $_SERVER['REMOTE_ADDR'];
- $fields['name'] = strip_tags($fields['name'] );
- $fields['email'] = strip_tags($fields['email'] );
- $fields['base'] = strip_tags($fields['base'] );
- foreach($fields as $name => $value) {
- $fields[$name] = bx_helpers_string::utf2entities(str_replace("&","&",trim($value)));
- }
- /*
- FIXME: can't set cookies, due to the location redirect at the end...
- if (isset($fields['comment_remember'])) {
- $remember = array('name' => $fields['name'],'email' => $fields['email'],'base' => $fields['base'],'comment_notify' => @$fields['comment_notify'],'comment_remember' => $fields['comment_remember']);
- setcookie("blog_remember", serialize($remember), 3600*24*60,"/");
- } else if (isset($_COOKIE['blog_remember'])) {
- setcookie("blog_remember", null);
- }
- */
-
- //get TablePrefix
- $parts = bx_collections::getCollectionAndFileParts($this->parent->collUri, "output");
- $p = $parts['coll']->getFirstPluginMapByRequest("index","html");
- $p = $p['plugin'];
- $tablePrefix = $GLOBALS['POOL']->config->getTablePrefix();
-
- $blogTablePrefix = $tablePrefix.$p->getParameter($parts['coll']->uri,"tableprefix");
-
- $query = 'SELECT blogposts.post_uri, blogposts.id,
- blogposts.post_title,
- blogposts.post_uri,
- users.user_login,
- unix_timestamp(blogposts.post_date) as unixtime,
- blogposts.post_comment_mode
-
- from '.$blogTablePrefix.'blogposts as blogposts left join '.$tablePrefix.'users as users on blogposts.post_author = users.user_login
- where blogposts.id = "'.$fields['id'].'" ';
-
- $res = $GLOBALS['POOL']->db->query($query);
- $row = $res->fetchRow(MDB2_FETCHMODE_ASSOC);
-
- if(isset($fields['captcha'])) {
- if (!$this->checkCaptcha($fields['captcha'], $fields['imgid'])) {
- return false;
- }
- }
-
-
- if ($row['post_comment_mode'] == 99) {
- $row['post_comment_mode'] = $GLOBALS['POOL']->config->blogDefaultPostCommentMode;
- }
- if (!($row['post_comment_mode'] == 2 || ($row['post_comment_mode'] == 1 && (time() - 2678800) < $row['unixtime']))) {
- die("No comments allowed anymore...");
- }
-
- /* flood-protection */
- /*$query = "SELECT unix_timestamp(comment_date) FROM ".$blogTablePrefix."blogcomments WHERE comment_author_IP='".$_SERVER['REMOTE_ADDR']."' ORDER BY comment_date DESC LIMIT 1";
-
- $res = $GLOBALS['POOL']->db->query($query);
- $time_lastcomment = $res->fetchOne(0);
- if (time() - $time_lastcomment) < 60){
- die ("Flood protection! You're not allowed to post comments within that short of a timespan");
- } */
- /* end flood-protection */
-
-
- $fields['uri'] = BX_WEBROOT_W.$parts['coll']->uri.'archive/'.date('Y',$row['unixtime']).'/'.date('m',$row['unixtime']).'/'.date('d',$row['unixtime']).'/'.$row['post_uri'].'.html';
-
- $screenNode = $this->parent->confctxt->query("/bxco:wizard/bxco:screen[@emailTo]");
- $screenNode = $screenNode->item(0);
- // clean up comment
- if (class_exists('tidy')) {
- $tidy = new tidy();
- if(!$tidy) {
- throw new Exception("Something went wrong with tidy initialisation. Maybe you didn't enable ext/tidy in your PHP installation. Either install it or remove the tidy transformer from your sitemap.xml");
- }
- } else {
- $tidy = false;
- }
-
- // this preg escapes all not allowed tags...
- $_tags = implode("|",$this->allowedTags).")])#i";
- $fields['comments'] = preg_replace("#\<(/[^(".$_tags,"<$1", $fields['comments']);
- $fields['comments'] = preg_replace("#\<([^(/|".$_tags,"<$1", $fields['comments']);
-
- $allowedTagsString = "<".implode("><",$this->allowedTags).">";
- if ($tidy) {
- $tidy->parseString(strip_tags(nl2br($fields['comments']),$allowedTagsString ),$this->tidyOptions,"utf8");
- $tidy->cleanRepair();
- $fields['comments'] = popoon_classes_externalinput::basicClean((string) $tidy);
- // and tidy it again
- $tidy->parseString($fields['comments']);
- $tidy->cleanRepair();
- $fields['comments'] = (string) $tidy;
- } else {
- $fields['comments'] = popoon_classes_externalinput::basicClean(strip_tags(nl2br($fields['comments']),$allowedTagsString));
- }
- $commentRejected = "";
-
- /* known spammer user */
- $simplecache = popoon_helpers_simplecache::getInstance();
- $simplecache->cacheDir = BX_TEMP_DIR;
- $deleteIt = false;
-
- //check for pineapleproxy
- if (isset($_SERVER['HTTP_VIA']) && stripos($_SERVER['HTTP_VIA'],'pinappleproxy') !== false) {
- $commentRejected .= "* Uses known spammer proxy: ". $_SERVER['HTTP_VIA'] . "\n";
- }
-
- //get latest spammer name list every 6 hours
- /*
- $this->knownspammers = $simplecache->simpleCacheRemoteArrayRead("http://www.bitflux.org/download/antispam/knownspammer.dat",21600);
-
- if (in_array(strtolower(preg_replace("#[^a-z]#i","",$fields['name'])),$this->knownspammers)) {
- $commentRejected .= "* Known spammer name: " . $fields['name'] ."\n";
- $deleteIt = true;
- }*/
-
-
- /* If url field is filled in, it was a bot ...*/
- if (isset($fields['url']) && $fields['url'] != "") {
- $commentRejected .= "* URL field was not empty, assuming bot: " . $fields['url']."\n";
- $deleteIt = true;
- }
- /* Max 5 links per post and SURBL check */
- if (preg_match_all("#http://[\/\w\.\-]+#",$fields['comments'], $matches) || $fields['base'] != '') {
- if ($fields['base'] != '') {
- $matches[0][] = $fields['base'] ;
- }
- if (isset($matches[0])) {
- $urls = array_unique($matches[0]);
- if ( count($urls) > 5) {
- $commentRejected .= "* More than 5 unique links in comment (".count($urls) .")\n";
- if (count($urls) > 10) {
- $deleteIt = true;
- }
- }
-
- $commentRejected .= bx_plugins_blog_spam::checkRBLs($urls);
- }
- }
-
- //check sender IP against xbl.spamhaus.org
- $xblcheck = bx_plugins_blog_spam::checkSenderIPBLs($_SERVER['REMOTE_ADDR']);
-
- if (!$commentRejected) {
- // insert comment
- $comment_status = 1;
- } else if ($deleteIt) {
- $comment_status = 3;
- } else {
- $comment_status = 2;
- }
- //delete all rejected comments older than 3 days...
- $query = 'delete from '.$blogTablePrefix.'blogcomments where comment_status = 3 and now() - comment_date > 3600 * 24 * 3';
- $res = $GLOBALS['POOL']->dbwrite->query($query);
- //delete all moderated comments older than 14 days...
- $query = 'delete from '.$blogTablePrefix.'blogcomments where comment_status = 2 and now() - comment_date > 3600 * 24 * 14';
- $res = $GLOBALS['POOL']->dbwrite->query($query);
-
- $emailFrom = str_replace(":"," ",html_entity_decode($fields['name'],ENT_QUOTES,'ISO-8859-1'));
-
- if ($fields['email']) {
- $emailFrom .= ' <'.html_entity_decode($fields['email'],ENT_QUOTES,'ISO-8859-1').'>';
- } else {
- $emailFrom .= ' <unknown@example.org>';
- }
- // check if emailFrom is a valid input. if not -> reject!!!
- if(strpos($emailFrom, "\n") !== FALSE or strpos($emailFrom, "\r") !== FALSE) {
- print ("Comment rejected. Looks like you're trying to spam the world....");
- die();
- }
- $comment_notification_hash = bx_helpers_int::getRandomHex(var_export($fields,true));
- $db = $GLOBALS['POOL']->dbwrite;
- if (!isset($fields['comment_notification'])) {
- $fields['comment_notification'] = 0;
- }
- $query = 'insert into '.$blogTablePrefix.'blogcomments (comment_posts_id, comment_author, comment_author_email, comment_author_ip,
- comment_date, comment_content,comment_status, comment_notification, comment_notification_hash,
- comment_author_url
- ) VALUES ("'.$row['id'].'",'.$db->quote($fields['name'])
- .','.$db->quote($fields['email'],'text').','.$db->quote($fields['remote_ip']).',"'.gmdate('c').'",'.$db->quote(bx_helpers_string::utf2entities($fields['comments'])).','.$comment_status.','.$db->quote($fields['comment_notification']).',"'.$comment_notification_hash.'",'.$db->quote($fields['base'],'text').')';
- $res = $GLOBALS['POOL']->dbwrite->query($query);
-
- $GLOBALS['POOL']->dbwrite->loadModule('Extended');
- $lastID = $GLOBALS['POOL']->dbwrite->getAfterID(null,$blogTablePrefix.'blogcomments');
- $fields['edituri'] = BX_WEBROOT.'admin/?edit=/forms/blogcomments/?id='.$lastID;
- $fields['uri'] .= '#comment'.$lastID;
- //get email et al
- $emailTo = $row['user_login'];
- //if ($row['user_email'] && !$deleteIt) {
- $emailSubject = '['.bx_helpers_config::getBlogName().'] ' ;
- if ($commentRejected) {
- $hashPrefix = "a";
- if ($deleteIt) {
- $emailSubject .= "(Rej) ";
- } else {
- $emailSubject .= "(Mod) ";
- }
- $fields['accepturi'] = "(Click the link to accept this comment [1]):\n";
- } else {
- $hashPrefix = "r";
- $fields['accepturi'] = "(Click the link to reject this comment [1]) :\n";
- }
- // insert hash
- if ($GLOBALS['POOL']->config->lastdbversion >= 5266) {
- $hash = bx_helpers_int::getRandomHex(var_export($fields,true));
- $query = 'update '.$blogTablePrefix.'blogcomments set comment_hash = ' . $GLOBALS['POOL']->db->quote($hashPrefix . $hash) . ' where id = ' . $lastID;
- $GLOBALS['POOL']->dbwrite->query($query);
- $fields['accepturi'] .= " ".BX_WEBROOT.'admin/webinc/approval/?hash='.$hashPrefix.$hash;
- } else {
- $fields['accepturi'] .= " Please update your Flux CMS DB to use that feature.";
- }
- $fields['edituri'] = BX_WEBROOT.'admin/edit/blog/sub/comments/?id='.$lastID;
- $emailSubject .= "New comment on '" . html_entity_decode($row['post_title'],ENT_QUOTES,'ISO-8859-1') . "'";
-
- $bodyID = $screenNode->getAttribute('emailBodyID');
-
- if(!empty($bodyID)) {
- $emailBodyID = $bodyID;
- }
-
- $emailBody = "";
- if ($commentRejected) {
- $emailBody .= "Comment rejected, due to:\n";
- $emailBody .= $commentRejected ."\n";
- }
- if ($xblcheck) {
- $emailBody .= $xblcheck ."\n";
- }
- if(!empty($emailBodyID)) {
- $emailBody .= utf8_decode($this->parent->lookup($emailBodyID));
- $this->parent->_replaceTextFields($emailBody, $fields);
- $emailBody = html_entity_decode($emailBody,ENT_QUOTES,'UTF-8');
- } else {
- foreach ($fields as $key => $value) {
- $emailBody .= html_entity_decode("$key: $value",ENT_QUOTES,'UTF-8')."\n";
- }
- }
-
- $headers = '';
-
- if(!empty($emailFrom)) {
- $headers .= "From: $emailFrom\r\n";
- }
- //utf 8 encoded...
- //FIXME: do the same for subjects with quoted printable
- $headers .= "Content-Type: text/plain; charset=UTF-8\r\nContent-Transfer-Encoding: 8bit\r\n";
- $emailBody = str_replace('<br />','',$emailBody);
- //don't send mails on rejects for the time beeing
- if ($GLOBALS['POOL']->config->blogSendRejectedCommentNotification == "true" || !$deleteIt) {
- bx_notificationmanager::sendToDefault($emailTo,$emailSubject, $emailBody,$emailFrom);
- }
- $_SESSION["bx_wizard"] = array();
-
- if(!$commentRejected) {
- bx_plugins_blog_commentsnotification::sendNotificationMails($lastID,$row['id'],$parts['coll']->uri);
-
- header ('Location: '. bx_helpers_uri::getLocationUri($row["post_uri"]) . '.html?sent='.time().'#comment'.$lastID);
- } else {
- //put it in the db;
- $query = 'update '.$blogTablePrefix.'blogcomments set comment_rejectreason = ' . $GLOBALS['POOL']->db->quote(htmlspecialchars($commentRejected)) . ' where id = ' . $lastID;
- $res = $GLOBALS['POOL']->dbwrite->query($query);
- if ($deleteIt) {
- print ("Comment rejected. Looks like blogspam.");
- } else {
- print ("<h1>Possible blogspam</h1>Your comment is considered as possible blogspam and therefore moderated. <br/> If it's legitimate, the author will make it available later.<br/> Your message is not lost ;) <br/>Thanks for your understanding.<p/>");
- print ("The reasons are: <br/>");
- print nl2br(htmlspecialchars($commentRejected));
- }
- }
- exit();
- return TRUE;
- }
-
- protected function checkCaptcha($captcha, $imgid) {
- $days = $GLOBALS['POOL']->config->blogCaptchaAfterDays;
- $ok = false;
- $magickey = $GLOBALS['POOL']->config->magicKey;
- preg_match("#.*.html#", $_SERVER['REQUEST_URI'], $matches);
-
- if($imgid == md5($captcha.floor(time()/(60*15)).$magickey.$_SERVER['REMOTE_ADDR'].$matches['0']) or $imgid == md5($captcha.floor(time()/(60*15-1)).$magickey.$_SERVER['REMOTE_ADDR'].$matches['0'])) {
- unlink(BX_PROJECT_DIR.'dynimages/'.$imgid . '.png');
- return true;
- } else {
- unlink(BX_PROJECT_DIR.'dynimages/'.$imgid . '.png');
- echo '<script type="text/javascript">alert("False captcha code!!! Please enter the right one from image")</script>';
- return false;
- }
- }
- }
- ?>