mirror of
https://github.com/silverstripe/silverstripe-comments
synced 2024-10-22 11:05:49 +02:00
FIX Ensure comments are escaped in RSS feeds.
FIX Also fix up preview to only output the comment content rather than the whole template. FIX Hide preview after posting comment. API Move AllowHtml to field to prevent issues with altering Html configuration after comments have been posted. FIX If moderation is turned on for commenting, still render comments in preview mode.
This commit is contained in:
parent
f38b9daebd
commit
3a4a1dd4b4
@ -117,7 +117,13 @@ class CommentingController extends Controller {
|
||||
$comments = new PaginatedList($comments, $request);
|
||||
$comments->setPageLength(Commenting::get_config_value(null, 'comments_per_page'));
|
||||
|
||||
return new RSSFeed($comments, $link, $title, $link, 'Title', 'Comment', 'AuthorName');
|
||||
return new RSSFeed(
|
||||
$comments,
|
||||
$link,
|
||||
$title,
|
||||
$link,
|
||||
'Title', 'EscapedComment', 'AuthorName'
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -242,7 +248,9 @@ class CommentingController extends Controller {
|
||||
public function CommentsForm() {
|
||||
$usePreview = Commenting::get_config_value($this->getBaseClass(), 'use_preview');
|
||||
$member = Member::currentUser();
|
||||
|
||||
$fields = new FieldList(
|
||||
$dataFields = new CompositeField(
|
||||
TextField::create("Name", _t('CommentInterface.YOURNAME', 'Your name'))
|
||||
->setCustomValidationMessage(_t('CommentInterface.YOURNAME_MESSAGE_REQUIRED', 'Please enter your name'))
|
||||
->setAttribute('data-message-required', _t('CommentInterface.YOURNAME_MESSAGE_REQUIRED', 'Please enter your name')),
|
||||
@ -257,8 +265,8 @@ class CommentingController extends Controller {
|
||||
|
||||
TextareaField::create("Comment", _t('CommentingController.COMMENTS', "Comments"))
|
||||
->setCustomValidationMessage(_t('CommentInterface.COMMENT_MESSAGE_REQUIRED', 'Please enter your comment'))
|
||||
->setAttribute('data-message-required', _t('CommentInterface.COMMENT_MESSAGE_REQUIRED', 'Please enter your comment')),
|
||||
|
||||
->setAttribute('data-message-required', _t('CommentInterface.COMMENT_MESSAGE_REQUIRED', 'Please enter your comment'))
|
||||
),
|
||||
HiddenField::create("ParentID"),
|
||||
HiddenField::create("ReturnURL"),
|
||||
HiddenField::create("BaseClass")
|
||||
@ -274,6 +282,7 @@ class CommentingController extends Controller {
|
||||
);
|
||||
}
|
||||
|
||||
$dataFields->addExtraClass('data-fields');
|
||||
|
||||
// save actions
|
||||
$actions = new FieldList(
|
||||
@ -360,7 +369,7 @@ class CommentingController extends Controller {
|
||||
public function doPostComment($data, $form) {
|
||||
$class = (isset($data['BaseClass'])) ? $data['BaseClass'] : $this->getBaseClass();
|
||||
$usePreview = Commenting::get_config_value($class, 'use_preview');
|
||||
$isPreview = ($usePreview && isset($data['preview']) && $data['preview']);
|
||||
$isPreview = ($usePreview && isset($data['IsPreview']) && $data['IsPreview']);
|
||||
|
||||
// if no class then we cannot work out what controller or model they
|
||||
// are on so throw an error
|
||||
@ -398,23 +407,24 @@ class CommentingController extends Controller {
|
||||
$comment = new Comment();
|
||||
$form->saveInto($comment);
|
||||
|
||||
$comment->AllowHtml = Commenting::get_config_value($class, 'html_allowed');
|
||||
$comment->Moderated = ($moderated) ? false : true;
|
||||
|
||||
// Save into DB, or call pre-save hooks to give accurate preview
|
||||
if($isPreview) {
|
||||
$comment->onBeforeWrite();
|
||||
$comment->extend('onBeforeWrite', $dummy);
|
||||
} else {
|
||||
$comment->write();
|
||||
}
|
||||
|
||||
// extend hook to allow extensions. Also see onBeforePostComment
|
||||
$this->extend('onAfterPostComment', $comment);
|
||||
}
|
||||
|
||||
// clear the users comment since it passed validation
|
||||
Cookie::set('CommentsForm_Comment', false);
|
||||
|
||||
if(Director::is_ajax()) {
|
||||
if(!$comment->Moderated) {
|
||||
if(!$comment->Moderated && !$isPreview) {
|
||||
return $comment->renderWith('CommentsInterface_pendingcomment');
|
||||
} else {
|
||||
return $comment->renderWith('CommentsInterface_singlecomment');
|
||||
@ -431,6 +441,7 @@ class CommentingController extends Controller {
|
||||
|
||||
public function doPreviewComment($data, $form) {
|
||||
$data['IsPreview'] = 1;
|
||||
|
||||
return $this->doPostComment($data, $form);
|
||||
}
|
||||
}
|
||||
|
@ -9,13 +9,14 @@ class Comment extends DataObject {
|
||||
|
||||
public static $db = array(
|
||||
"Name" => "Varchar(200)",
|
||||
"Comment" => "Text", // can contain sanitized HTML with 'html_allowed=true' config
|
||||
"Comment" => "Text",
|
||||
"Email" => "Varchar(200)",
|
||||
"URL" => "Varchar(255)",
|
||||
"BaseClass" => "Varchar(200)",
|
||||
"Moderated" => "Boolean",
|
||||
"IsSpam" => "Boolean",
|
||||
"ParentID" => "Int"
|
||||
"ParentID" => "Int",
|
||||
'AllowHtml' => "Boolean"
|
||||
);
|
||||
|
||||
public static $has_one = array(
|
||||
@ -59,7 +60,7 @@ class Comment extends DataObject {
|
||||
parent::onBeforeWrite();
|
||||
|
||||
// Sanitize HTML, because its expected to be passed to the template unescaped later
|
||||
if($this->getAllowHtml()) {
|
||||
if($this->AllowHtml) {
|
||||
$this->Comment = $this->purifyHtml($this->Comment);
|
||||
}
|
||||
}
|
||||
@ -161,12 +162,42 @@ class Comment extends DataObject {
|
||||
*/
|
||||
public function getParentClassName() {
|
||||
$default = 'SiteTree';
|
||||
|
||||
if(!$this->BaseClass) {
|
||||
return $default;
|
||||
}
|
||||
|
||||
return $this->BaseClass;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the content for this comment escaped depending on the Html state.
|
||||
*
|
||||
* @return HTMLText
|
||||
*/
|
||||
public function getEscapedComment() {
|
||||
$comment = $this->dbObject('Comment');
|
||||
|
||||
if ($comment->exists()) {
|
||||
if ($this->AllowHtml) {
|
||||
return DBField::create_field('HTMLText', nl2br($comment->RAW()));
|
||||
} else {
|
||||
return DBField::create_field('HTMLText', sprintf("<p>%s</p>", nl2br($comment->XML())));
|
||||
}
|
||||
}
|
||||
|
||||
return $comment;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return whether this comment is a preview (has not been written to the db)
|
||||
*
|
||||
* @return boolean
|
||||
*/
|
||||
public function isPreview() {
|
||||
return ($this->ID < 1);
|
||||
}
|
||||
|
||||
/**
|
||||
* @todo needs to compare to the new {@link Commenting} configuration API
|
||||
*
|
||||
@ -331,20 +362,14 @@ class Comment extends DataObject {
|
||||
public function getCMSFields() {
|
||||
$fields = parent::getCMSFields();
|
||||
$parent = $this->getParent()->ID;
|
||||
$parentIDField = new HiddenField('ParentID', 'Parent', $parent);
|
||||
$authorIDField = new HiddenField('AuthorID');
|
||||
$baseClassField = new HiddenField('BaseClass');
|
||||
$fields->replaceField('ParentID', $parentIDField);
|
||||
$fields->replaceField('AuthorID', $authorIDField);
|
||||
$fields->replaceField('BaseClass', $baseClassField);
|
||||
return $fields;
|
||||
|
||||
$hidden = array('ParentID', 'AuthorID', 'BaseClass', 'AllowHtml');
|
||||
|
||||
foreach($hidden as $private) {
|
||||
$fields->removeByName($private);
|
||||
}
|
||||
|
||||
public function getAllowHtml() {
|
||||
return (
|
||||
Commenting::has_commenting($this->BaseClass)
|
||||
&& Commenting::get_config_value($this->BaseClass, 'html_allowed')
|
||||
);
|
||||
return $fields;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -27,7 +27,6 @@
|
||||
scrollTop: $(validator.errorList[0].element).offset().top - 30
|
||||
}, 200);
|
||||
},
|
||||
|
||||
showErrors: function(errorMap, errorList) {
|
||||
this.defaultShowErrors();
|
||||
// hack to add the extra classes we need to the validation message elements
|
||||
@ -37,7 +36,6 @@
|
||||
errorElement: "span",
|
||||
errorClass: "error",
|
||||
ignore: '.hidden',
|
||||
|
||||
rules: {
|
||||
Name : {
|
||||
required : true
|
||||
@ -81,6 +79,8 @@
|
||||
return false;
|
||||
}
|
||||
|
||||
previewEl.removeClass('loading').hide();
|
||||
|
||||
// submit the form
|
||||
$(this).ajaxSubmit(function(response) {
|
||||
noCommentsYet.hide();
|
||||
@ -114,15 +114,18 @@
|
||||
$(':submit[name=action_doPreviewComment]', form).click(function(e) {
|
||||
e.preventDefault();
|
||||
|
||||
if(!form.validate().valid()) return false;
|
||||
if(!form.validate().valid()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
previewEl.show().addClass('loading').find('.middleColumn').html(' ');
|
||||
|
||||
form.ajaxSubmit({
|
||||
success: function(response) {
|
||||
var responseEl = $(response);
|
||||
if(responseEl.is('form')) {
|
||||
// Validation failed, renders form instead of single comment
|
||||
form.replaceWith(responseEl);
|
||||
form.find(".data-fields").replaceWith(responseEl.find(".data-fields"));
|
||||
} else {
|
||||
// Default behaviour
|
||||
previewEl.removeClass('loading').find('.middleColumn').html(responseEl);
|
||||
@ -136,7 +139,7 @@
|
||||
* Hide outdated preview on form changes
|
||||
*/
|
||||
$(':input', form).on('change keydown', function() {
|
||||
previewEl.hide();
|
||||
previewEl.removeClass('loading').hide();
|
||||
});
|
||||
|
||||
/**
|
||||
|
@ -1,11 +1,8 @@
|
||||
<div class="comment" id="$Permalink">
|
||||
<% if AllowHtml %>
|
||||
$Comment.RAW
|
||||
<% else %>
|
||||
<p>$Comment.XML</p>
|
||||
<% end_if %>
|
||||
<div class="comment" id="<% if isPreview %>comment-preview<% else %>$Permalink<% end_if %>">
|
||||
$EscapedComment
|
||||
</div>
|
||||
|
||||
<% if not isPreview %>
|
||||
<p class="info">
|
||||
<% if $URL %>
|
||||
<% _t('PBY','Posted by') %> <a href="$URL.URL" rel="nofollow">$AuthorName.XML</a>, $Created.Nice ($Created.Ago)
|
||||
@ -30,3 +27,4 @@
|
||||
<% end_if %>
|
||||
</ul>
|
||||
<% end_if %>
|
||||
<% end_if %>
|
||||
|
Loading…
Reference in New Issue
Block a user