validate ajax input

This commit is contained in:
Thorsten Witteler 2017-10-23 13:39:49 +02:00
parent cace16f606
commit d70f109776
2 changed files with 234 additions and 109 deletions

View File

@ -1,82 +1,130 @@
$(document).ready(function () {
function PhpComment(element) {
this.element = element;
this.init();
}
PhpComment.prototype.init = function () {
this.setupVariables();
this.setupEvents();
}
PhpComment.prototype.setupVariables = function () {
this.commentForm = this.element.find(".comments-form");
this.titleField = this.element.find("#comment_title");
this.bodyField = this.element.find("#comment_body");
}
PhpComment.prototype.setupEvents = function () {
var phpComment = this,
newMedia;
$.ajax({
url: '/media_template.php',
method: 'GET',
dataType: 'html',
success: function (data) {
newMedia = data;
}
});
phpComment.commentForm.on("submit", function (e) {
e.preventDefault();
var parentId = 0,
title = phpComment.titleField.val(),
body = phpComment.bodyField.val();
if(phpComment.commentForm.parents(".comment").length > 0){
parentId = phpComment.commentForm.closest(".comment").attr("data-Id");
}
$.ajax({
url: phpComment.commentForm.attr("action"),
method: 'POST',
dataType: 'json',
data: {title: title, body: body, parentId: parentId},
success: function (data) {
if(!data.created){
alert("Couldn't create comment");
return;
}
newMedia = newMedia.replace("{{id}}", data.id);
newMedia = newMedia.replace("{{title}}", title);
newMedia = newMedia.replace("{{body}}", body);
newMedia = newMedia.replace("{{nested}}", '');
phpComment.commentForm.before(newMedia);
phpComment.titleField.val("");
phpComment.bodyField.val("");
}
});
});
$(document).on("click", ".comment-add-new", function (e) {
e.preventDefault();
$(this).find(".comments").before(phpComment.commentForm);
});
$(document).on("click", ".comment-add-reply", function (e) {
e.preventDefault();
var media = $(this).closest(".comment");
media.find(">.comment-body>.comment-text").after(phpComment.commentForm);
});
}
$.fn.phpComment = function (options) {
new PhpComment(this);
return this;
}
$(".comments").phpComment();
jQuery(document).ready(function () {
var commentForm = $(document).find('.comments-form');
var commentSection = $(document).find('.comments').first();
var commentAlert = commentForm.closest('.alert');
//var newMedia;
//hide form, show link
commentForm.hide();
$(document).find('.comment-add-new').show();
//get template for inserting new comments
/*
$.ajax({
url: '/media_template.php',
method: 'GET',
dataType: 'html',
success: function (data) {
newMedia = data;
}
});
*/
$('body').on('click', '.comment-add-new-sadf', function (e) {
e.preventDefault();
alert('asdf');
$('span').stop().css('opacity', 1).text('myName = ' + e.name).fadeIn(30).fadeOut(1000);
});
//show comment form above comments section (new comment thread)
$('body').on('click', '.comment-add-new', function (e) {
e.preventDefault();
//commentForm.hide(1000);
//commentSection.before(commentForm);
$(this).before(commentForm);
commentForm.show('slow');
//$(this).slideUp();
});
//show comment form below selected comment (reply to existing comment)
$('body').on('click', '.comment-add-reply', function (e) {
e.preventDefault();
var media = $(this).closest('.comment');
commentForm.hide();
media.find('>.comment-body>.comment-text').after(commentForm);
commentForm.show('slow');
});
// Attach a submit handler to the form
$(commentForm).on('submit', function (event) {
event.preventDefault();
// Get some values from elements on the page:
//var term = $(this).find( "input[name='s']" ).val();
//var data = $(this).serializeArray();
var data = $(this).serialize();
console.log("Form Data (submit)", JSON.parse(JSON.stringify(data)));
//var url = $(this).attr( "action" );
var url = '/nested-comments';
var parentId = 0;
if ($(this).parents('.comment').length > 0) {
parentId = $(this).closest('.comment').attr('data-Id');
}
// Send the data using post
//var posting = $.post(url, { parentId: parentId, data: data }, null, 'json');
var posting = $.post(url, data + '&parentID=' + parentId, null, 'json');
//$.post( "test.php", $( "#testform" ).serialize() );
// Put the results in a div
posting.done(function (response) {
alert('success');
console.log("Response Data (done)", JSON.parse(JSON.stringify(response)));
//response = JSON.parse(response);
var message = response.status ? response.message : 'Error: ' + response.message;
commentForm.after(commentAlert);
commentAlert.empty().append(message);
if (!response.status) {
return;
}
if (response.status) {
var newMedia = `
<div class='comment comment-level-{{comment.level|e}}' data-Id='{{comment.id}}' >
<div class='comment-left'>
<a href='#'>
<img class='comment-object' src='https://www.gravatar.com/avatar/{{comment.email|trim|lower|md5}}?d=identicon' alt='user icon'>
</a>
</div>
<div class='comment-body'>
<div class='comment-heading'>
<div class='comment-title'><h4>{{comment.title}}</h4></div>
<div class='comment-reply'><a class='comment-add-reply' href='#'>{{'PLUGIN_COMMENTS.ADD_REPLY'|t}}</a></div>
<div class='comment-meta'>{{'PLUGIN_COMMENTS.WRITTEN_ON'|t}} {{comment.date|e}} {{'PLUGIN_COMMENTS.BY'|t}} {{comment.author}}</div>
</div>
<div class='comment-text' >
{{comment.text}}
</div>
{{nested}}
</div>
</div>
`;
newMedia = newMedia.replace('{{comment.id}}', response.id);
newMedia = newMedia.replace('{{comment.level|e}}', response.level);
newMedia = newMedia.replace('{{comment.email|trim|lower|md5}}', response.hash);
newMedia = newMedia.replace('{{parent_id}}', response.data.parent_id);
newMedia = newMedia.replace('{{comment.title}}', response.data.title);
newMedia = newMedia.replace('{{comment.text}}', response.data.text);
newMedia = newMedia.replace('{{comment.author}}', response.data.name);
//newMedia = newMedia.replace('{{comment.date|e}}', response.data.name);
if ($( "div[data-Id='" + response.data.parent_id + "']" ).length > 0) {
$( "div[data-Id='" + response.data.parent_id + "']" ).first().after(newMedia);
} else {
$( "div.comments" ).last().prepend(newMedia);
}
//phpComment.commentForm.before(newMedia);
//phpComment.titleField.val("");
//phpComment.bodyField.val("");
}
setTimeout(function () {
commentForm.hide(3000);
}, 5000);
});
posting.fail(function (status, error, title) {
alert('error');
console.log("Response Data (fail)", JSON.parse(JSON.stringify(status)));
commentForm.after(commentAlert);
commentAlert.empty().append("<p>TEST</p>");
commentAlert.append("<p>" + status + "</p>");
commentAlert.append("<p>" + error + "</p>");
commentAlert.append("<p>" + title + "</p>");
});
posting.always(function (test) {
//alert("finished, be it successful or not");
//test = JSON.parse(test);
//test = test.serialize();
//alert(test);
});
});
});

View File

@ -73,9 +73,15 @@ class CommentsPlugin extends Plugin
$disable_on_routes = (array) $this->config->get('plugins.comments.disable_on_routes');
$enable_on_routes = (array) $this->config->get('plugins.comments.enable_on_routes');
$callback = $this->config->get('plugins.comments.ajax_callback');
$path = $uri->path();
if ($callback === $path) {
$this->enable = true;
return;
}
if (!in_array($path, $disable_on_routes)) {
if (in_array($path, $enable_on_routes)) {
$this->enable = true;
@ -163,58 +169,126 @@ class CommentsPlugin extends Plugin
*/
public function onPageInitialized()
{
$is_ajax = isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest';
// initialize with page settings (post-cache)
// if (!$this->isAdmin() && isset($this->grav['page']->header()->{'star-ratings'})) {
// // if not in admin merge potential page-level configs
// $this->config->set('plugins.star-ratings', $this->mergeConfig($page));
// }
$this->callback = 'nested-comments';
// $this->callback = $this->config->get('plugins.star-ratings.callback');
// $this->total_stars = $this->config->get('plugins.star-ratings.total_stars');
// $this->only_full_stars = $this->config->get('plugins.star-ratings.only_full_stars');
$callback = $this->config->get('plugins.comments.ajax_callback');
// Process comment if required
if ($this->callback === $this->grav['uri']->path()) {
if ($is_ajax || $callback === $this->grav['uri']->path()) {
// try to add the comment
$result = $this->addComment();
echo json_encode(['status' => $result[0], 'message' => $result[1], 'data' => ['score' => $result[2][0], 'count' => $result[2][1]]]);
exit();
echo json_encode([
'status' => $result[0],
'message' => $result[1],
'data' => $result[2],
// 'data' => [
// 'score' => $result[2][0],
// 'count' => $result[2][1]
// ]
]);
exit(); //prevents the page frontend from beeing displayed.
}
}
public function addComment()
{
$nonce = $this->grav['uri']->param('nonce');
if (!Utils::verifyNonce($nonce, 'comments')) {
return [false, 'Invalid security nonce', [0, 0]];
}
$language = $this->grav['language'];
if (!$_SERVER["REQUEST_METHOD"] == "POST") {
// Not a POST request, set a 403 (forbidden) response code.
http_response_code(403);
return [false, 'There was a problem with your submission, please try again.', [0, 0]];
}
// get and filter the data
$parent_id = filter_input(INPUT_POST, 'parent_id', FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION);
$email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_STRING);
$text = filter_input(INPUT_POST, 'text', FILTER_SANITIZE_STRING);
$title = filter_input(INPUT_POST, 'title', FILTER_SANITIZE_STRING);
$name = filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING);
//$data = $this->getStars($id);
$data = array(
['parent_id'] => $parent_id,
['email'] => $email,
['text'] => $text,
['title'] => $title,
['name'] => $name,
);
if (!isset($_POST['data']) || !is_array($_POST['data'])) {
// Set a 400 (bad request) response code and exit.
http_response_code(400);
return [false, 'missing data', [0, 0]];
}
$input = array();
$input['parent_id'] = filter_input(INPUT_POST, 'parentID', FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION);
$input['name'] = isset($_POST['data']['name']) ? filter_var($_POST['data']['name'], FILTER_SANITIZE_STRING) : null;
$input['email'] = isset($_POST['data']['email']) ? filter_var($_POST['data']['email'], FILTER_SANITIZE_EMAIL) : null;
$input['text'] = isset($_POST['data']['text']) ? filter_var($_POST['data']['text'], FILTER_SANITIZE_STRING) : null;
$input['date'] = isset($_POST['data']['date']) ? filter_var($_POST['data']['date'], FILTER_SANITIZE_STRING) : null;
$input['title'] = isset($_POST['data']['title']) ? filter_var($_POST['data']['title'], FILTER_SANITIZE_STRING) : null;
$input['lang'] = isset($_POST['data']['lang']) ? filter_var($_POST['data']['lang'], FILTER_SANITIZE_STRING) : null;
$input['path'] = isset($_POST['data']['path']) ? filter_var($_POST['data']['path'], FILTER_SANITIZE_STRING) : null;
$input['form-name'] = filter_input(INPUT_POST, 'form-name', FILTER_SANITIZE_STRING);
$input['form-nonce'] = filter_input(INPUT_POST, 'form-nonce', FILTER_SANITIZE_STRING);
/*
foreach ($_POST['data'] as $field) {
if (isset($field['name']) && isset($field['value'])) {
switch ($field['name']) {
case 'data[name]':
$input['name'] = filter_var($field['value'], FILTER_SANITIZE_STRING);
break;
case 'data[email]':
$input['email'] = filter_var($field['value'], FILTER_SANITIZE_EMAIL);
break;
case 'data[text]':
$input['text'] = filter_var($field['value'], FILTER_SANITIZE_STRING);
break;
case 'data[date]':
$input['date'] = filter_var($field['value'], FILTER_SANITIZE_STRING);
break;
case 'data[title]':
$input['title'] = filter_var($field['value'], FILTER_SANITIZE_STRING);
break;
case 'data[lang]':
$input['lang'] = filter_var($field['value'], FILTER_SANITIZE_STRING);
break;
case 'data[path]':
$input['path'] = filter_var($field['value'], FILTER_SANITIZE_STRING);
break;
case '__form-name__':
$input['form-name'] = filter_var($field['value'], FILTER_SANITIZE_STRING);
break;
case 'form-nonce':
$input['form-nonce'] = filter_var($field['value'], FILTER_SANITIZE_STRING); //$this->grav['uri']->param('nonce');
break;
default:
//ignore unexpected fields.
}
}
}
*/
if (!Utils::verifyNonce($input['form-nonce'], 'comments')) {
http_response_code(403);
return [false, 'Invalid security nonce', [$_POST, $input['form-nonce']]];
}
// ensure both values are sent
if (is_null($title) || is_null($text)) {
if (is_null($input['title']) || is_null($input['text'])) {
// Set a 400 (bad request) response code and exit.
http_response_code(400);
return [false, 'missing either text or title', [0, 0]];
//return [false, $language->translate('PLUGIN_COMMENTS.FAIL'), $data];
}
$language = $this->grav['language'];
//$data = $this->getStars($id);
$data = array(
'parent_id' => $input['parent_id'],
'email' => $input['email'],
'text' => $input['text'],
'title' => $input['title'],
'name' => $input['name'],
'id' => 99,
'level' => 0,
'hash' => md5(strtolower(trim($input['email']))),
);
// sanity checks for parents
if ($parent_id < 0) {
$parent_id = 0;
} elseif ($parent_id > 999 ) { //TODO: Change to 'exists in list of comment ids
$parent_id = 0;
if ($data['parent_id'] < 0) {
$data['parent_id'] = 0;
} elseif ($data['parent_id'] > 999 ) { //TODO: Change to 'exists in list of comment ids
$data['parent_id'] = 0;
}
//$this->saveVoteData($id, $rating);
// Set a 500 (internal server error) response code.
// http_response_code(500);
//$data = $this->getStars($id);
return [true, $language->translate('PLUGIN_COMMENTS.SUCCESS'), $data];
}
@ -485,6 +559,9 @@ class CommentsPlugin extends Plugin
* Return the latest commented pages
*/
private function setCommentLevels($comments) {
if(!is_array($comments)) {
return $comments;
}
$levelsflat = array();
foreach($comments as $key => $comment) {
$levelsflat[$comment['id']]['parent'] = $comment['parent'];