leetnightshade/grav-plugin-comments
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

validate ajax input

Browse source
This commit is contained in:
Thorsten Witteler 2017-10-23 13:39:49 +02:00
parent cace16f606
commit d70f109776
2 changed files with 234 additions and 109 deletions
Download patch file Download diff file Expand all files Collapse all files

184
assets/comments.js
View file

@ -1,82 +1,130 @@
$(document).ready(function () { jQuery(document).ready(function () {
var commentForm = $(document).find('.comments-form');
function PhpComment(element) { var commentSection = $(document).find('.comments').first();
this.element = element; var commentAlert = commentForm.closest('.alert');
this.init(); //var newMedia;
} //hide form, show link
commentForm.hide();
PhpComment.prototype.init = function () { $(document).find('.comment-add-new').show();
this.setupVariables(); //get template for inserting new comments
this.setupEvents(); /*
} $.ajax({
PhpComment.prototype.setupVariables = function () {
this.commentForm = this.element.find(".comments-form");
this.titleField = this.element.find("#comment_title");
this.bodyField = this.element.find("#comment_body");
}
PhpComment.prototype.setupEvents = function () {
var phpComment = this,
newMedia;
$.ajax({
url: '/media_template.php', url: '/media_template.php',
method: 'GET', method: 'GET',
dataType: 'html', dataType: 'html',
success: function (data) { success: function (data) {
newMedia = data; newMedia = data;
} }
}); });
*/
phpComment.commentForm.on("submit", function (e) { $('body').on('click', '.comment-add-new-sadf', function (e) {
e.preventDefault(); e.preventDefault();
var parentId = 0, alert('asdf');
title = phpComment.titleField.val(), $('span').stop().css('opacity', 1).text('myName = ' + e.name).fadeIn(30).fadeOut(1000);
body = phpComment.bodyField.val(); });
//show comment form above comments section (new comment thread)
if(phpComment.commentForm.parents(".comment").length > 0){ $('body').on('click', '.comment-add-new', function (e) {
parentId = phpComment.commentForm.closest(".comment").attr("data-Id"); e.preventDefault();
//commentForm.hide(1000);
//commentSection.before(commentForm);
$(this).before(commentForm);
commentForm.show('slow');
//$(this).slideUp();
});
//show comment form below selected comment (reply to existing comment)
$('body').on('click', '.comment-add-reply', function (e) {
e.preventDefault();
var media = $(this).closest('.comment');
commentForm.hide();
media.find('>.comment-body>.comment-text').after(commentForm);
commentForm.show('slow');
});
// Attach a submit handler to the form
$(commentForm).on('submit', function (event) {
event.preventDefault();
// Get some values from elements on the page:
//var term = $(this).find( "input[name='s']" ).val();
//var data = $(this).serializeArray();
var data = $(this).serialize();
console.log("Form Data (submit)", JSON.parse(JSON.stringify(data)));
//var url = $(this).attr( "action" );
var url = '/nested-comments';
var parentId = 0;
if ($(this).parents('.comment').length > 0) {
parentId = $(this).closest('.comment').attr('data-Id');
} }
// Send the data using post
$.ajax({ //var posting = $.post(url, { parentId: parentId, data: data }, null, 'json');
url: phpComment.commentForm.attr("action"), var posting = $.post(url, data + '&parentID=' + parentId, null, 'json');
method: 'POST', //$.post( "test.php", $( "#testform" ).serialize() );
dataType: 'json', // Put the results in a div
data: {title: title, body: body, parentId: parentId}, posting.done(function (response) {
success: function (data) { alert('success');
if(!data.created){ console.log("Response Data (done)", JSON.parse(JSON.stringify(response)));
alert("Couldn't create comment"); //response = JSON.parse(response);
var message = response.status ? response.message : 'Error: ' + response.message;
commentForm.after(commentAlert);
commentAlert.empty().append(message);
if (!response.status) {
return; return;
} }
if (response.status) {
newMedia = newMedia.replace("{{id}}", data.id); var newMedia = `
newMedia = newMedia.replace("{{title}}", title); <div class='comment comment-level-{{comment.level|e}}' data-Id='{{comment.id}}' >
newMedia = newMedia.replace("{{body}}", body); <div class='comment-left'>
newMedia = newMedia.replace("{{nested}}", ''); <a href='#'>
phpComment.commentForm.before(newMedia); <img class='comment-object' src='https://www.gravatar.com/avatar/{{comment.email|trim|lower|md5}}?d=identicon' alt='user icon'>
phpComment.titleField.val(""); </a>
phpComment.bodyField.val(""); </div>
<div class='comment-body'>
<div class='comment-heading'>
<div class='comment-title'><h4>{{comment.title}}</h4></div>
<div class='comment-reply'><a class='comment-add-reply' href='#'>{{'PLUGIN_COMMENTS.ADD_REPLY'|t}}</a></div>
<div class='comment-meta'>{{'PLUGIN_COMMENTS.WRITTEN_ON'|t}} {{comment.date|e}} {{'PLUGIN_COMMENTS.BY'|t}} {{comment.author}}</div>
</div>
<div class='comment-text' >
{{comment.text}}
</div>
{{nested}}
</div>
</div>
`;
newMedia = newMedia.replace('{{comment.id}}', response.id);
newMedia = newMedia.replace('{{comment.level|e}}', response.level);
newMedia = newMedia.replace('{{comment.email|trim|lower|md5}}', response.hash);
newMedia = newMedia.replace('{{parent_id}}', response.data.parent_id);
newMedia = newMedia.replace('{{comment.title}}', response.data.title);
newMedia = newMedia.replace('{{comment.text}}', response.data.text);
newMedia = newMedia.replace('{{comment.author}}', response.data.name);
//newMedia = newMedia.replace('{{comment.date|e}}', response.data.name);
if ($( "div[data-Id='" + response.data.parent_id + "']" ).length > 0) {
$( "div[data-Id='" + response.data.parent_id + "']" ).first().after(newMedia);
} else {
$( "div.comments" ).last().prepend(newMedia);
} }
}); //phpComment.commentForm.before(newMedia);
}); //phpComment.titleField.val("");
//phpComment.bodyField.val("");
$(document).on("click", ".comment-add-new", function (e) {
e.preventDefault();
$(this).find(".comments").before(phpComment.commentForm);
});
$(document).on("click", ".comment-add-reply", function (e) {
e.preventDefault();
var media = $(this).closest(".comment");
media.find(">.comment-body>.comment-text").after(phpComment.commentForm);
});
} }
setTimeout(function () {
$.fn.phpComment = function (options) { commentForm.hide(3000);
new PhpComment(this); }, 5000);
return this; });
} posting.fail(function (status, error, title) {
alert('error');
$(".comments").phpComment(); console.log("Response Data (fail)", JSON.parse(JSON.stringify(status)));
commentForm.after(commentAlert);
commentAlert.empty().append("<p>TEST</p>");
commentAlert.append("<p>" + status + "</p>");
commentAlert.append("<p>" + error + "</p>");
commentAlert.append("<p>" + title + "</p>");
});
posting.always(function (test) {
//alert("finished, be it successful or not");
//test = JSON.parse(test);
//test = test.serialize();
//alert(test);
});
});
}); });

131
comments.php
View file

@ -73,9 +73,15 @@ class CommentsPlugin extends Plugin
$disable_on_routes = (array) $this->config->get('plugins.comments.disable_on_routes'); $disable_on_routes = (array) $this->config->get('plugins.comments.disable_on_routes');
$enable_on_routes = (array) $this->config->get('plugins.comments.enable_on_routes'); $enable_on_routes = (array) $this->config->get('plugins.comments.enable_on_routes');
$callback = $this->config->get('plugins.comments.ajax_callback');
$path = $uri->path(); $path = $uri->path();
if ($callback === $path) {
$this->enable = true;
return;
}
if (!in_array($path, $disable_on_routes)) { if (!in_array($path, $disable_on_routes)) {
if (in_array($path, $enable_on_routes)) { if (in_array($path, $enable_on_routes)) {
$this->enable = true; $this->enable = true;
@ -163,58 +169,126 @@ class CommentsPlugin extends Plugin
*/ */
public function onPageInitialized() public function onPageInitialized()
{ {
$is_ajax = isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest';
// initialize with page settings (post-cache) // initialize with page settings (post-cache)
// if (!$this->isAdmin() && isset($this->grav['page']->header()->{'star-ratings'})) { // if (!$this->isAdmin() && isset($this->grav['page']->header()->{'star-ratings'})) {
// // if not in admin merge potential page-level configs // // if not in admin merge potential page-level configs
// $this->config->set('plugins.star-ratings', $this->mergeConfig($page)); // $this->config->set('plugins.star-ratings', $this->mergeConfig($page));
// } // }
$this->callback = 'nested-comments';
// $this->callback = $this->config->get('plugins.star-ratings.callback'); // $this->callback = $this->config->get('plugins.star-ratings.callback');
// $this->total_stars = $this->config->get('plugins.star-ratings.total_stars'); // $this->total_stars = $this->config->get('plugins.star-ratings.total_stars');
// $this->only_full_stars = $this->config->get('plugins.star-ratings.only_full_stars'); // $this->only_full_stars = $this->config->get('plugins.star-ratings.only_full_stars');
$callback = $this->config->get('plugins.comments.ajax_callback');
// Process comment if required // Process comment if required
if ($this->callback === $this->grav['uri']->path()) { if ($is_ajax || $callback === $this->grav['uri']->path()) {
// try to add the comment // try to add the comment
$result = $this->addComment(); $result = $this->addComment();
echo json_encode(['status' => $result[0], 'message' => $result[1], 'data' => ['score' => $result[2][0], 'count' => $result[2][1]]]); echo json_encode([
exit(); 'status' => $result[0],
'message' => $result[1],
'data' => $result[2],
// 'data' => [
// 'score' => $result[2][0],
// 'count' => $result[2][1]
// ]
]);
exit(); //prevents the page frontend from beeing displayed.
} }
} }
public function addComment() public function addComment()
{ {
$nonce = $this->grav['uri']->param('nonce'); if (!$_SERVER["REQUEST_METHOD"] == "POST") {
if (!Utils::verifyNonce($nonce, 'comments')) { // Not a POST request, set a 403 (forbidden) response code.
return [false, 'Invalid security nonce', [0, 0]]; http_response_code(403);
return [false, 'There was a problem with your submission, please try again.', [0, 0]];
} }
$language = $this->grav['language'];
// get and filter the data // get and filter the data
$parent_id = filter_input(INPUT_POST, 'parent_id', FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION); if (!isset($_POST['data']) || !is_array($_POST['data'])) {
$email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_STRING); // Set a 400 (bad request) response code and exit.
$text = filter_input(INPUT_POST, 'text', FILTER_SANITIZE_STRING); http_response_code(400);
$title = filter_input(INPUT_POST, 'title', FILTER_SANITIZE_STRING); return [false, 'missing data', [0, 0]];
$name = filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING); }
//$data = $this->getStars($id); $input = array();
$data = array( $input['parent_id'] = filter_input(INPUT_POST, 'parentID', FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION);
['parent_id'] => $parent_id, $input['name'] = isset($_POST['data']['name']) ? filter_var($_POST['data']['name'], FILTER_SANITIZE_STRING) : null;
['email'] => $email, $input['email'] = isset($_POST['data']['email']) ? filter_var($_POST['data']['email'], FILTER_SANITIZE_EMAIL) : null;
['text'] => $text, $input['text'] = isset($_POST['data']['text']) ? filter_var($_POST['data']['text'], FILTER_SANITIZE_STRING) : null;
['title'] => $title, $input['date'] = isset($_POST['data']['date']) ? filter_var($_POST['data']['date'], FILTER_SANITIZE_STRING) : null;
['name'] => $name, $input['title'] = isset($_POST['data']['title']) ? filter_var($_POST['data']['title'], FILTER_SANITIZE_STRING) : null;
); $input['lang'] = isset($_POST['data']['lang']) ? filter_var($_POST['data']['lang'], FILTER_SANITIZE_STRING) : null;
$input['path'] = isset($_POST['data']['path']) ? filter_var($_POST['data']['path'], FILTER_SANITIZE_STRING) : null;
$input['form-name'] = filter_input(INPUT_POST, 'form-name', FILTER_SANITIZE_STRING);
$input['form-nonce'] = filter_input(INPUT_POST, 'form-nonce', FILTER_SANITIZE_STRING);
/*
foreach ($_POST['data'] as $field) {
if (isset($field['name']) && isset($field['value'])) {
switch ($field['name']) {
case 'data[name]':
$input['name'] = filter_var($field['value'], FILTER_SANITIZE_STRING);
break;
case 'data[email]':
$input['email'] = filter_var($field['value'], FILTER_SANITIZE_EMAIL);
break;
case 'data[text]':
$input['text'] = filter_var($field['value'], FILTER_SANITIZE_STRING);
break;
case 'data[date]':
$input['date'] = filter_var($field['value'], FILTER_SANITIZE_STRING);
break;
case 'data[title]':
$input['title'] = filter_var($field['value'], FILTER_SANITIZE_STRING);
break;
case 'data[lang]':
$input['lang'] = filter_var($field['value'], FILTER_SANITIZE_STRING);
break;
case 'data[path]':
$input['path'] = filter_var($field['value'], FILTER_SANITIZE_STRING);
break;
case '__form-name__':
$input['form-name'] = filter_var($field['value'], FILTER_SANITIZE_STRING);
break;
case 'form-nonce':
$input['form-nonce'] = filter_var($field['value'], FILTER_SANITIZE_STRING); //$this->grav['uri']->param('nonce');
break;
default:
//ignore unexpected fields.
}
}
}
*/
if (!Utils::verifyNonce($input['form-nonce'], 'comments')) {
http_response_code(403);
return [false, 'Invalid security nonce', [$_POST, $input['form-nonce']]];
}
// ensure both values are sent // ensure both values are sent
if (is_null($title) || is_null($text)) { if (is_null($input['title']) || is_null($input['text'])) {
// Set a 400 (bad request) response code and exit.
http_response_code(400);
return [false, 'missing either text or title', [0, 0]]; return [false, 'missing either text or title', [0, 0]];
//return [false, $language->translate('PLUGIN_COMMENTS.FAIL'), $data]; //return [false, $language->translate('PLUGIN_COMMENTS.FAIL'), $data];
} }
$language = $this->grav['language'];
//$data = $this->getStars($id);
$data = array(
'parent_id' => $input['parent_id'],
'email' => $input['email'],
'text' => $input['text'],
'title' => $input['title'],
'name' => $input['name'],
'id' => 99,
'level' => 0,
'hash' => md5(strtolower(trim($input['email']))),
);
// sanity checks for parents // sanity checks for parents
if ($parent_id < 0) { if ($data['parent_id'] < 0) {
$parent_id = 0; $data['parent_id'] = 0;
} elseif ($parent_id > 999 ) { //TODO: Change to 'exists in list of comment ids } elseif ($data['parent_id'] > 999 ) { //TODO: Change to 'exists in list of comment ids
$parent_id = 0; $data['parent_id'] = 0;
} }
//$this->saveVoteData($id, $rating); //$this->saveVoteData($id, $rating);
// Set a 500 (internal server error) response code.
// http_response_code(500);
//$data = $this->getStars($id); //$data = $this->getStars($id);
return [true, $language->translate('PLUGIN_COMMENTS.SUCCESS'), $data]; return [true, $language->translate('PLUGIN_COMMENTS.SUCCESS'), $data];
} }
@ -485,6 +559,9 @@ class CommentsPlugin extends Plugin
* Return the latest commented pages * Return the latest commented pages
*/ */
private function setCommentLevels($comments) { private function setCommentLevels($comments) {
if(!is_array($comments)) {
return $comments;
}
$levelsflat = array(); $levelsflat = array();
foreach($comments as $key => $comment) { foreach($comments as $key => $comment) {
$levelsflat[$comment['id']]['parent'] = $comment['parent']; $levelsflat[$comment['id']]['parent'] = $comment['parent'];