mirror of
https://github.com/silverstripe/silverstripe-comments
synced 2024-10-22 11:05:49 +02:00
FIX Ensure comments are escaped in RSS feeds.
FIX Also fix up preview to only output the comment content rather than the whole template. FIX Hide preview after posting comment. API Move AllowHtml to field to prevent issues with altering Html configuration after comments have been posted. FIX If moderation is turned on for commenting, still render comments in preview mode.
This commit is contained in:
parent
f38b9daebd
commit
3a4a1dd4b4
@ -117,7 +117,13 @@ class CommentingController extends Controller {
|
|||||||
$comments = new PaginatedList($comments, $request);
|
$comments = new PaginatedList($comments, $request);
|
||||||
$comments->setPageLength(Commenting::get_config_value(null, 'comments_per_page'));
|
$comments->setPageLength(Commenting::get_config_value(null, 'comments_per_page'));
|
||||||
|
|
||||||
return new RSSFeed($comments, $link, $title, $link, 'Title', 'Comment', 'AuthorName');
|
return new RSSFeed(
|
||||||
|
$comments,
|
||||||
|
$link,
|
||||||
|
$title,
|
||||||
|
$link,
|
||||||
|
'Title', 'EscapedComment', 'AuthorName'
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -242,7 +248,9 @@ class CommentingController extends Controller {
|
|||||||
public function CommentsForm() {
|
public function CommentsForm() {
|
||||||
$usePreview = Commenting::get_config_value($this->getBaseClass(), 'use_preview');
|
$usePreview = Commenting::get_config_value($this->getBaseClass(), 'use_preview');
|
||||||
$member = Member::currentUser();
|
$member = Member::currentUser();
|
||||||
|
|
||||||
$fields = new FieldList(
|
$fields = new FieldList(
|
||||||
|
$dataFields = new CompositeField(
|
||||||
TextField::create("Name", _t('CommentInterface.YOURNAME', 'Your name'))
|
TextField::create("Name", _t('CommentInterface.YOURNAME', 'Your name'))
|
||||||
->setCustomValidationMessage(_t('CommentInterface.YOURNAME_MESSAGE_REQUIRED', 'Please enter your name'))
|
->setCustomValidationMessage(_t('CommentInterface.YOURNAME_MESSAGE_REQUIRED', 'Please enter your name'))
|
||||||
->setAttribute('data-message-required', _t('CommentInterface.YOURNAME_MESSAGE_REQUIRED', 'Please enter your name')),
|
->setAttribute('data-message-required', _t('CommentInterface.YOURNAME_MESSAGE_REQUIRED', 'Please enter your name')),
|
||||||
@ -257,8 +265,8 @@ class CommentingController extends Controller {
|
|||||||
|
|
||||||
TextareaField::create("Comment", _t('CommentingController.COMMENTS', "Comments"))
|
TextareaField::create("Comment", _t('CommentingController.COMMENTS', "Comments"))
|
||||||
->setCustomValidationMessage(_t('CommentInterface.COMMENT_MESSAGE_REQUIRED', 'Please enter your comment'))
|
->setCustomValidationMessage(_t('CommentInterface.COMMENT_MESSAGE_REQUIRED', 'Please enter your comment'))
|
||||||
->setAttribute('data-message-required', _t('CommentInterface.COMMENT_MESSAGE_REQUIRED', 'Please enter your comment')),
|
->setAttribute('data-message-required', _t('CommentInterface.COMMENT_MESSAGE_REQUIRED', 'Please enter your comment'))
|
||||||
|
),
|
||||||
HiddenField::create("ParentID"),
|
HiddenField::create("ParentID"),
|
||||||
HiddenField::create("ReturnURL"),
|
HiddenField::create("ReturnURL"),
|
||||||
HiddenField::create("BaseClass")
|
HiddenField::create("BaseClass")
|
||||||
@ -274,6 +282,7 @@ class CommentingController extends Controller {
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$dataFields->addExtraClass('data-fields');
|
||||||
|
|
||||||
// save actions
|
// save actions
|
||||||
$actions = new FieldList(
|
$actions = new FieldList(
|
||||||
@ -360,7 +369,7 @@ class CommentingController extends Controller {
|
|||||||
public function doPostComment($data, $form) {
|
public function doPostComment($data, $form) {
|
||||||
$class = (isset($data['BaseClass'])) ? $data['BaseClass'] : $this->getBaseClass();
|
$class = (isset($data['BaseClass'])) ? $data['BaseClass'] : $this->getBaseClass();
|
||||||
$usePreview = Commenting::get_config_value($class, 'use_preview');
|
$usePreview = Commenting::get_config_value($class, 'use_preview');
|
||||||
$isPreview = ($usePreview && isset($data['preview']) && $data['preview']);
|
$isPreview = ($usePreview && isset($data['IsPreview']) && $data['IsPreview']);
|
||||||
|
|
||||||
// if no class then we cannot work out what controller or model they
|
// if no class then we cannot work out what controller or model they
|
||||||
// are on so throw an error
|
// are on so throw an error
|
||||||
@ -398,23 +407,24 @@ class CommentingController extends Controller {
|
|||||||
$comment = new Comment();
|
$comment = new Comment();
|
||||||
$form->saveInto($comment);
|
$form->saveInto($comment);
|
||||||
|
|
||||||
|
$comment->AllowHtml = Commenting::get_config_value($class, 'html_allowed');
|
||||||
$comment->Moderated = ($moderated) ? false : true;
|
$comment->Moderated = ($moderated) ? false : true;
|
||||||
|
|
||||||
// Save into DB, or call pre-save hooks to give accurate preview
|
// Save into DB, or call pre-save hooks to give accurate preview
|
||||||
if($isPreview) {
|
if($isPreview) {
|
||||||
$comment->onBeforeWrite();
|
$comment->extend('onBeforeWrite', $dummy);
|
||||||
} else {
|
} else {
|
||||||
$comment->write();
|
$comment->write();
|
||||||
}
|
|
||||||
|
|
||||||
// extend hook to allow extensions. Also see onBeforePostComment
|
// extend hook to allow extensions. Also see onBeforePostComment
|
||||||
$this->extend('onAfterPostComment', $comment);
|
$this->extend('onAfterPostComment', $comment);
|
||||||
|
}
|
||||||
|
|
||||||
// clear the users comment since it passed validation
|
// clear the users comment since it passed validation
|
||||||
Cookie::set('CommentsForm_Comment', false);
|
Cookie::set('CommentsForm_Comment', false);
|
||||||
|
|
||||||
if(Director::is_ajax()) {
|
if(Director::is_ajax()) {
|
||||||
if(!$comment->Moderated) {
|
if(!$comment->Moderated && !$isPreview) {
|
||||||
return $comment->renderWith('CommentsInterface_pendingcomment');
|
return $comment->renderWith('CommentsInterface_pendingcomment');
|
||||||
} else {
|
} else {
|
||||||
return $comment->renderWith('CommentsInterface_singlecomment');
|
return $comment->renderWith('CommentsInterface_singlecomment');
|
||||||
@ -431,6 +441,7 @@ class CommentingController extends Controller {
|
|||||||
|
|
||||||
public function doPreviewComment($data, $form) {
|
public function doPreviewComment($data, $form) {
|
||||||
$data['IsPreview'] = 1;
|
$data['IsPreview'] = 1;
|
||||||
|
|
||||||
return $this->doPostComment($data, $form);
|
return $this->doPostComment($data, $form);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -9,13 +9,14 @@ class Comment extends DataObject {
|
|||||||
|
|
||||||
public static $db = array(
|
public static $db = array(
|
||||||
"Name" => "Varchar(200)",
|
"Name" => "Varchar(200)",
|
||||||
"Comment" => "Text", // can contain sanitized HTML with 'html_allowed=true' config
|
"Comment" => "Text",
|
||||||
"Email" => "Varchar(200)",
|
"Email" => "Varchar(200)",
|
||||||
"URL" => "Varchar(255)",
|
"URL" => "Varchar(255)",
|
||||||
"BaseClass" => "Varchar(200)",
|
"BaseClass" => "Varchar(200)",
|
||||||
"Moderated" => "Boolean",
|
"Moderated" => "Boolean",
|
||||||
"IsSpam" => "Boolean",
|
"IsSpam" => "Boolean",
|
||||||
"ParentID" => "Int"
|
"ParentID" => "Int",
|
||||||
|
'AllowHtml' => "Boolean"
|
||||||
);
|
);
|
||||||
|
|
||||||
public static $has_one = array(
|
public static $has_one = array(
|
||||||
@ -59,7 +60,7 @@ class Comment extends DataObject {
|
|||||||
parent::onBeforeWrite();
|
parent::onBeforeWrite();
|
||||||
|
|
||||||
// Sanitize HTML, because its expected to be passed to the template unescaped later
|
// Sanitize HTML, because its expected to be passed to the template unescaped later
|
||||||
if($this->getAllowHtml()) {
|
if($this->AllowHtml) {
|
||||||
$this->Comment = $this->purifyHtml($this->Comment);
|
$this->Comment = $this->purifyHtml($this->Comment);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -161,12 +162,42 @@ class Comment extends DataObject {
|
|||||||
*/
|
*/
|
||||||
public function getParentClassName() {
|
public function getParentClassName() {
|
||||||
$default = 'SiteTree';
|
$default = 'SiteTree';
|
||||||
|
|
||||||
if(!$this->BaseClass) {
|
if(!$this->BaseClass) {
|
||||||
return $default;
|
return $default;
|
||||||
}
|
}
|
||||||
|
|
||||||
return $this->BaseClass;
|
return $this->BaseClass;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return the content for this comment escaped depending on the Html state.
|
||||||
|
*
|
||||||
|
* @return HTMLText
|
||||||
|
*/
|
||||||
|
public function getEscapedComment() {
|
||||||
|
$comment = $this->dbObject('Comment');
|
||||||
|
|
||||||
|
if ($comment->exists()) {
|
||||||
|
if ($this->AllowHtml) {
|
||||||
|
return DBField::create_field('HTMLText', nl2br($comment->RAW()));
|
||||||
|
} else {
|
||||||
|
return DBField::create_field('HTMLText', sprintf("<p>%s</p>", nl2br($comment->XML())));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return $comment;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return whether this comment is a preview (has not been written to the db)
|
||||||
|
*
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function isPreview() {
|
||||||
|
return ($this->ID < 1);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @todo needs to compare to the new {@link Commenting} configuration API
|
* @todo needs to compare to the new {@link Commenting} configuration API
|
||||||
*
|
*
|
||||||
@ -331,20 +362,14 @@ class Comment extends DataObject {
|
|||||||
public function getCMSFields() {
|
public function getCMSFields() {
|
||||||
$fields = parent::getCMSFields();
|
$fields = parent::getCMSFields();
|
||||||
$parent = $this->getParent()->ID;
|
$parent = $this->getParent()->ID;
|
||||||
$parentIDField = new HiddenField('ParentID', 'Parent', $parent);
|
|
||||||
$authorIDField = new HiddenField('AuthorID');
|
$hidden = array('ParentID', 'AuthorID', 'BaseClass', 'AllowHtml');
|
||||||
$baseClassField = new HiddenField('BaseClass');
|
|
||||||
$fields->replaceField('ParentID', $parentIDField);
|
foreach($hidden as $private) {
|
||||||
$fields->replaceField('AuthorID', $authorIDField);
|
$fields->removeByName($private);
|
||||||
$fields->replaceField('BaseClass', $baseClassField);
|
|
||||||
return $fields;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public function getAllowHtml() {
|
return $fields;
|
||||||
return (
|
|
||||||
Commenting::has_commenting($this->BaseClass)
|
|
||||||
&& Commenting::get_config_value($this->BaseClass, 'html_allowed')
|
|
||||||
);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -27,7 +27,6 @@
|
|||||||
scrollTop: $(validator.errorList[0].element).offset().top - 30
|
scrollTop: $(validator.errorList[0].element).offset().top - 30
|
||||||
}, 200);
|
}, 200);
|
||||||
},
|
},
|
||||||
|
|
||||||
showErrors: function(errorMap, errorList) {
|
showErrors: function(errorMap, errorList) {
|
||||||
this.defaultShowErrors();
|
this.defaultShowErrors();
|
||||||
// hack to add the extra classes we need to the validation message elements
|
// hack to add the extra classes we need to the validation message elements
|
||||||
@ -37,7 +36,6 @@
|
|||||||
errorElement: "span",
|
errorElement: "span",
|
||||||
errorClass: "error",
|
errorClass: "error",
|
||||||
ignore: '.hidden',
|
ignore: '.hidden',
|
||||||
|
|
||||||
rules: {
|
rules: {
|
||||||
Name : {
|
Name : {
|
||||||
required : true
|
required : true
|
||||||
@ -81,6 +79,8 @@
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
previewEl.removeClass('loading').hide();
|
||||||
|
|
||||||
// submit the form
|
// submit the form
|
||||||
$(this).ajaxSubmit(function(response) {
|
$(this).ajaxSubmit(function(response) {
|
||||||
noCommentsYet.hide();
|
noCommentsYet.hide();
|
||||||
@ -114,15 +114,18 @@
|
|||||||
$(':submit[name=action_doPreviewComment]', form).click(function(e) {
|
$(':submit[name=action_doPreviewComment]', form).click(function(e) {
|
||||||
e.preventDefault();
|
e.preventDefault();
|
||||||
|
|
||||||
if(!form.validate().valid()) return false;
|
if(!form.validate().valid()) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
previewEl.show().addClass('loading').find('.middleColumn').html(' ');
|
previewEl.show().addClass('loading').find('.middleColumn').html(' ');
|
||||||
|
|
||||||
form.ajaxSubmit({
|
form.ajaxSubmit({
|
||||||
success: function(response) {
|
success: function(response) {
|
||||||
var responseEl = $(response);
|
var responseEl = $(response);
|
||||||
if(responseEl.is('form')) {
|
if(responseEl.is('form')) {
|
||||||
// Validation failed, renders form instead of single comment
|
// Validation failed, renders form instead of single comment
|
||||||
form.replaceWith(responseEl);
|
form.find(".data-fields").replaceWith(responseEl.find(".data-fields"));
|
||||||
} else {
|
} else {
|
||||||
// Default behaviour
|
// Default behaviour
|
||||||
previewEl.removeClass('loading').find('.middleColumn').html(responseEl);
|
previewEl.removeClass('loading').find('.middleColumn').html(responseEl);
|
||||||
@ -136,7 +139,7 @@
|
|||||||
* Hide outdated preview on form changes
|
* Hide outdated preview on form changes
|
||||||
*/
|
*/
|
||||||
$(':input', form).on('change keydown', function() {
|
$(':input', form).on('change keydown', function() {
|
||||||
previewEl.hide();
|
previewEl.removeClass('loading').hide();
|
||||||
});
|
});
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -1,11 +1,8 @@
|
|||||||
<div class="comment" id="$Permalink">
|
<div class="comment" id="<% if isPreview %>comment-preview<% else %>$Permalink<% end_if %>">
|
||||||
<% if AllowHtml %>
|
$EscapedComment
|
||||||
$Comment.RAW
|
|
||||||
<% else %>
|
|
||||||
<p>$Comment.XML</p>
|
|
||||||
<% end_if %>
|
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
|
<% if not isPreview %>
|
||||||
<p class="info">
|
<p class="info">
|
||||||
<% if $URL %>
|
<% if $URL %>
|
||||||
<% _t('PBY','Posted by') %> <a href="$URL.URL" rel="nofollow">$AuthorName.XML</a>, $Created.Nice ($Created.Ago)
|
<% _t('PBY','Posted by') %> <a href="$URL.URL" rel="nofollow">$AuthorName.XML</a>, $Created.Nice ($Created.Ago)
|
||||||
@ -30,3 +27,4 @@
|
|||||||
<% end_if %>
|
<% end_if %>
|
||||||
</ul>
|
</ul>
|
||||||
<% end_if %>
|
<% end_if %>
|
||||||
|
<% end_if %>
|
||||||
|
Loading…
Reference in New Issue
Block a user