diff --git a/wp-admin/admin.php b/wp-admin/admin.php index 34f217c23e..003de1b654 100644 --- a/wp-admin/admin.php +++ b/wp-admin/admin.php @@ -17,23 +17,6 @@ $what_to_show = get_settings('what_to_show'); $date_format = get_settings('date_format'); $time_format = get_settings('time_format'); -function add_magic_quotes($array) { - foreach ($array as $k => $v) { - if (is_array($v)) { - $array[$k] = add_magic_quotes($v); - } else { - $array[$k] = addslashes($v); - } - } - return $array; -} - -if (!get_magic_quotes_gpc()) { - $_GET = add_magic_quotes($_GET); - $_POST = add_magic_quotes($_POST); - $_COOKIE = add_magic_quotes($_COOKIE); -} - $wpvarstoreset = array('profile','redirect','redirect_url','a','popuptitle','popupurl','text', 'trackback', 'pingback'); for ($i=0; $i $v) { - if (is_array($v)) { - $array[$k] = add_magic_quotes($v); - } else { - $array[$k] = addslashes($v); - } - } - return $array; -} - -if (!get_magic_quotes_gpc()) { - $_POST = add_magic_quotes($_POST); - $_COOKIE = add_magic_quotes($_COOKIE); - $_SERVER = add_magic_quotes($_SERVER); -} - -$author = trim(strip_tags($_POST['author'])); - -$email = trim(strip_tags($_POST['email'])); -if (strlen($email) < 6) - $email = ''; - -$url = trim(strip_tags($_POST['url'])); -$url = ((!stristr($url, '://')) && ($url != '')) ? 'http://'.$url : $url; -if (strlen($url) < 7) - $url = ''; - -$user_agent = $_SERVER['HTTP_USER_AGENT']; - -$comment = trim($_POST['comment']); -$comment_post_ID = intval($_POST['comment_post_ID']); -$user_ip = $_SERVER['REMOTE_ADDR']; +$comment_post_ID = (int) $_POST['comment_post_ID']; $post_status = $wpdb->get_var("SELECT comment_status FROM $wpdb->posts WHERE ID = '$comment_post_ID'"); if ( empty($post_status) ) { - // Post does not exist. Someone is trolling. Die silently. - // (Perhaps offer pluggable rebukes? Long delays, etc.) - die(); -} else if ( 'closed' == $post_status ) { + do_action('comment_id_not_found', $comment_post_ID); + exit; +} elseif ( 'closed' == $post_status ) { + do_action('comment_closed', $comment_post_ID); die( __('Sorry, comments are closed for this item.') ); } +$comment_author = $_POST['author']; +$comment_author_email = $_POST['email']; +$comment_author_url = $_POST['url']; +$comment_content = $_POST['comment']; + +$comment_type = ''; + +$user_ip = apply_filters('pre_comment_user_ip', $_SERVER['REMOTE_ADDR']); + if ( get_settings('require_name_email') && ('' == $email || '' == $author) ) die( __('Error: please fill the required fields (name, email).') ); if ( '' == $comment ) die( __('Error: please type a comment.') ); +$commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_email', 'comment_author_url', 'comment_content', 'comment_type'); -$now = current_time('mysql'); -$now_gmt = current_time('mysql', 1); - -$comment = format_to_post($comment); -$comment = apply_filters('post_comment_text', $comment); - -// Simple flood-protection -$lasttime = $wpdb->get_var("SELECT comment_date FROM $wpdb->comments WHERE comment_author_IP = '$user_ip' ORDER BY comment_date DESC LIMIT 1"); -if (!empty($lasttime)) { - $time_lastcomment= mysql2date('U', $lasttime); - $time_newcomment= mysql2date('U', $now); - if (($time_newcomment - $time_lastcomment) < 10) - die( __('Sorry, you can only post a new comment once every 10 seconds. Slow down cowboy.') ); -} - - -// If we've made it this far, let's post. - -if( check_comment($author, $email, $url, $comment, $user_ip, $user_agent) ) { - $approved = 1; -} else { - $approved = 0; -} - -$wpdb->query("INSERT INTO $wpdb->comments -(comment_post_ID, comment_author, comment_author_email, comment_author_url, comment_author_IP, comment_date, comment_date_gmt, comment_content, comment_approved, comment_agent) -VALUES -('$comment_post_ID', '$author', '$email', '$url', '$user_ip', '$now', '$now_gmt', '$comment', '$approved', '$user_agent') -"); - -$comment_ID = $wpdb->insert_id; - -do_action('comment_post', $comment_ID); - -if (!$approved) { - wp_notify_moderator($comment_ID); -} - -if ((get_settings('comments_notify')) && ($approved)) { - wp_notify_postauthor($comment_ID, 'comment'); -} +wp_new_comment($commentdata); setcookie('comment_author_' . COOKIEHASH, stripslashes($author), time() + 30000000, COOKIEPATH); setcookie('comment_author_email_' . COOKIEHASH, stripslashes($email), time() + 30000000, COOKIEPATH); setcookie('comment_author_url_' . COOKIEHASH, stripslashes($url), time() + 30000000, COOKIEPATH); -header('Expires: Mon, 26 Jul 1997 05:00:00 GMT'); +header('Expires: Mon, 11 Jan 1984 05:00:00 GMT'); header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT'); header('Cache-Control: no-cache, must-revalidate'); header('Pragma: no-cache'); @@ -111,4 +49,4 @@ if ($is_IIS) { header("Location: $location"); } -?> +?> \ No newline at end of file diff --git a/wp-includes/comment-functions.php b/wp-includes/comment-functions.php new file mode 100644 index 0000000000..29f262d5e5 --- /dev/null +++ b/wp-includes/comment-functions.php @@ -0,0 +1,831 @@ +get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND comment_approved = '1' ORDER BY comment_date"); + + $template = get_template_directory(); + $template .= "/comments.php"; + + if (file_exists($template)) { + include($template); + } else { + include(ABSPATH . 'wp-comments.php'); + } + + endif; +} + +function clean_url( $url ) { + if ('' == $url) return $url; + $url = preg_replace('|[^a-z0-9-~+_.?#=&;,/:]|i', '', $url); + $url = str_replace(';//', '://', $url); + $url = (!strstr($url, '://')) ? 'http://'.$url : $url; + $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url); + return $url; +} + +function get_comments_number( $comment_id ) { + global $wpdb, $comment_count_cache; + $comment_id = (int) $comment_id; + if ('' == $comment_count_cache["$id"]) + $number = $wpdb->get_var("SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = '$comment_id' AND comment_approved = '1'"); + else + $number = $comment_count_cache["$id"]; + return apply_filters('get_comments_number', $number); +} + +function comments_number( $zero = 'No Comments', $one = '1 Comment', $more = '% Comments', $number = '' ) { + global $id, $comment; + $number = get_comments_number( $id ); + if ($number == 0) { + $blah = $zero; + } elseif ($number == 1) { + $blah = $one; + } elseif ($number > 1) { + $blah = str_replace('%', $number, $more); + } + echo apply_filters('comments_number', $blah); +} + +function get_comments_link() { + return get_permalink() . '#comments'; +} + +function comments_link( $file = '', $echo = true ) { + if (!$echo) return get_permalink() . '#comments'; + else echo ; +} + +function comments_popup_script($width=400, $height=400, $file='') { + global $wpcommentspopupfile, $wptrackbackpopupfile, $wppingbackpopupfile, $wpcommentsjavascript; + + if (empty ($file)) { + $template = TEMPLATEPATH . '/comments-popup.php'; + if (file_exists($template)) { + $wpcommentspopupfile = str_replace(ABSPATH, '', $template); + } else { + $wpcommentspopupfile = 'wp-comments-popup.php'; + } + } else { + $wpcommentspopupfile = $file; + } + + $wpcommentsjavascript = 1; + $javascript = "\n"; + echo $javascript; +} + +function comments_popup_link($zero='No Comments', $one='1 Comment', $more='% Comments', $CSSclass='', $none='Comments Off') { + global $id, $wpcommentspopupfile, $wpcommentsjavascript, $post, $wpdb; + global $querystring_start, $querystring_equal, $querystring_separator; + global $comment_count_cache; + + if (! is_single() && ! is_page()) { + if ('' == $comment_count_cache["$id"]) { + $number = $wpdb->get_var("SELECT COUNT(comment_ID) FROM $wpdb->comments WHERE comment_post_ID = $id AND comment_approved = '1';"); + } else { + $number = $comment_count_cache["$id"]; + } + if (0 == $number && 'closed' == $post->comment_status && 'closed' == $post->ping_status) { + echo $none; + return; + } else { + if (!empty($post->post_password)) { // if there's a password + if ($_COOKIE['wp-postpass_'.COOKIEHASH] != $post->post_password) { // and it doesn't match the cookie + echo('Enter your password to view comments'); + return; + } + } + echo ''; + comments_number($zero, $one, $more, $number); + echo ''; + } + } +} + +function get_comment_ID() { + global $comment; + return apply_filters('get_comment_ID', $comment->comment_ID); +} + +function comment_ID() { + echo get_comment_ID(); +} + +function get_comment_author() { + global $comment; + + if ( empty($author) ) + $author = 'Anonymous'; + + return apply_filters('get_comment_author', $author); +} + +function comment_author() { + $author = apply_filters('comment_author', get_comment_author() ); + echo $author; +} + +function get_comment_author_email() { + global $comment; + return apply_filters('get_comment_author_email', $comment->comment_author_email); +} + +function comment_author_email() { + echo apply_filters('author_email', get_comment_author_email() ); +} + +function get_comment_author_link() { + global $comment; + $url = get_comment_author_url(); + $author = get_comment_author(); + + if ( empty( $url ) ) + $return = $author; + else + $return = "$author"; + return apply_filters('get_comment_author_link', $return); +} + +function comment_author_link() { + echo get_comment_author_link(); +} + +function get_comment_type() { + global $comment; + return apply_filters('get_comment_type', $comment->comment_type); +} + +function comment_type($commenttxt = 'Comment', $trackbacktxt = 'Trackback', $pingbacktxt = 'Pingback') { + $type = get_comment_type(); + switch( $type ) { + case 'trackback' : + echo $trackbacktxt; + break; + case 'pingback' : + echo $pingbacktxt; + break; + default : + echo $commenttxt; + } +} + +function get_comment_author_url() { + global $comment; + return apply_filters('get_comment_author_url', $comment->comment_author_url); +} + +function comment_author_url() { + echo apply_filters('comment_url', get_comment_author_url()); +} + +function comment_author_email_link($linktext='', $before='', $after='') { + global $comment; + $email = apply_filters('comment_email', $comment->comment_author_email); + if ((!empty($email)) && ($email != '@')) { + $display = ($linktext != '') ? $linktext : $email; + echo $before; + echo "$display"; + echo $after; + } +} + +function get_comment_author_url_link( $linktext = '', $before = '', $after = '' ) } + global $comment; + $url = get_comment_author_url(); + $display = ($linktext != '') ? $linktext : $url; + $return = "$before$display$after"; + return apply_filters('get_comment_author_url_link', $return); +} + +function comment_author_url_link( $linktext = '', $before = '', $after = '' ) { + echo get_comment_author_url_link( $linktext, $before, $after ); +} + +function get_comment_author_IP() { + global $comment; + return apply_filters('get_comment_author_IP', $comment->comment_author_IP); +} + +function comment_author_IP() { + echo get_comment_author_IP(); +} + +function get_comment_text() { + global $comment; + $comment_text = str_replace('', '', $comment->comment_content); + $comment_text = str_replace('', '', $comment_text); + return apply_filters('get_comment_text', $comment_text); +} + +function comment_text() { + echo apply_filters('comment_text', get_comment_text() ); +} + +function get_comment_excerpt() { + global $comment; + $comment_text = str_replace('', '', $comment->comment_content); + $comment_text = str_replace('', '', $comment_text); + $comment_text = strip_tags($comment_text); + $blah = explode(' ', $comment_text); + if (count($blah) > 20) { + $k = 20; + $use_dotdotdot = 1; + } else { + $k = count($blah); + $use_dotdotdot = 0; + } + $excerpt = ''; + for ($i=0; $i<$k; $i++) { + $excerpt .= $blah[$i] . ' '; + } + $excerpt .= ($use_dotdotdot) ? '...' : ''; + return apply_filters('get_comment_excerpt', $excerpt); +} + +function comment_excerpt() { + echo apply_filters('comment_excerpt', get_comment_excerpt() ); +} + +function get_comment_date( $d = '' ) { + global $comment; + if ( '' == $d ) + $date = mysql2date( get_settings('date_format'), $comment->comment_date); + else + $date = mysql2date($d, $comment->comment_date); + return apply_filters('get_comment_date', $date); +} + +function comment_date( $d = '' ) { + echo get_comment_date( $d ); +} + +function get_comment_time( $d = '' ) { + global $comment; + if ( '' == $d ) + $date = mysql2date(get_settings('time_format'), $comment->comment_date); + else + $date = mysql2date($d, $comment->comment_date); + return apply_filters('get_comment_time', $date); +} + +function comment_time( $d = '' ) { + echo get_comment_time(); +} + +function comments_rss_link($link_text = 'Comments RSS', $commentsrssfilename = 'wp-commentsrss2.php') { + $url = comments_rss($commentsrssfilename); + echo "$link_text"; +} + +function comments_rss($commentsrssfilename = 'wp-commentsrss2.php') { + global $id; + global $querystring_start, $querystring_equal, $querystring_separator; + + if ('' != get_settings('permalink_structure')) + $url = trailingslashit( get_permalink() ) . 'feed/'; + else + $url = get_settings('siteurl') . "/$commentsrssfilename?p=$id"; + + return $url; +} + +function comment_author_rss() { + global $comment; + if (empty($comment->comment_author)) { + echo 'Anonymous'; + } else { + echo wp_specialchars(apply_filters('comment_author', $comment->comment_author)); + } +} + +function comment_text_rss() { + global $comment; + $comment_text = str_replace('', '', $comment->comment_content); + $comment_text = str_replace('', '', $comment_text); + $comment_text = apply_filters('comment_text', $comment_text); + $comment_text = strip_tags($comment_text); + $comment_text = wp_specialchars($comment_text); + echo $comment_text; +} + +function comment_link_rss() { + global $comment; + echo get_permalink($comment->comment_post_ID).'#comments'; +} + +function permalink_comments_rss() { + global $comment; + echo get_permalink($comment->comment_post_ID); +} + +function trackback_url($display = true) { + global $id; + $tb_url = get_settings('siteurl') . '/wp-trackback.php/' . $id; + + if ('' != get_settings('permalink_structure')) { + $tb_url = trailingslashit(get_permalink()) . 'trackback/'; + } + + if ($display) { + echo $tb_url; + } else { + return $tb_url; + } +} + + +function trackback_rdf($timezone = 0) { + global $id; + if (!stristr($_SERVER['HTTP_USER_AGENT'], 'W3C_Validator')) { + echo ' + \n"; + echo ''; + } +} + +function comments_open() { + global $post; + if ('open' == $post->comment_status) return true; + else return false; +} + +function pings_open() { + global $post; + if ('open' == $post->ping_status) return true; + else return false; +} + +// Non-template functions + +function get_lastcommentmodified($timezone = 'server') { + global $tablecomments, $cache_lastcommentmodified, $pagenow, $wpdb; + $add_seconds_blog = get_settings('gmt_offset') * 3600; + $add_seconds_server = date('Z'); + $now = current_time('mysql', 1); + if ( !isset($cache_lastcommentmodified[$timezone]) ) { + switch(strtolower($timezone)) { + case 'gmt': + $lastcommentmodified = $wpdb->get_var("SELECT comment_date_gmt FROM $tablecomments WHERE comment_date_gmt <= '$now' ORDER BY comment_date_gmt DESC LIMIT 1"); + break; + case 'blog': + $lastcommentmodified = $wpdb->get_var("SELECT comment_date FROM $tablecomments WHERE comment_date_gmt <= '$now' ORDER BY comment_date_gmt DESC LIMIT 1"); + break; + case 'server': + $lastcommentmodified = $wpdb->get_var("SELECT DATE_ADD(comment_date_gmt, INTERVAL '$add_seconds_server' SECOND) FROM $tablecomments WHERE comment_date_gmt <= '$now' ORDER BY comment_date_gmt DESC LIMIT 1"); + break; + } + $cache_lastcommentmodified[$timezone] = $lastcommentmodified; + } else { + $lastcommentmodified = $cache_lastcommentmodified[$timezone]; + } + return $lastcommentmodified; +} + +function get_commentdata($comment_ID,$no_cache=0,$include_unapproved=false) { // less flexible, but saves DB queries + global $postc,$id,$commentdata, $wpdb; + if ($no_cache) { + $query = "SELECT * FROM $wpdb->comments WHERE comment_ID = '$comment_ID'"; + if (false == $include_unapproved) { + $query .= " AND comment_approved = '1'"; + } + $myrow = $wpdb->get_row($query, ARRAY_A); + } else { + $myrow['comment_ID']=$postc->comment_ID; + $myrow['comment_post_ID']=$postc->comment_post_ID; + $myrow['comment_author']=$postc->comment_author; + $myrow['comment_author_email']=$postc->comment_author_email; + $myrow['comment_author_url']=$postc->comment_author_url; + $myrow['comment_author_IP']=$postc->comment_author_IP; + $myrow['comment_date']=$postc->comment_date; + $myrow['comment_content']=$postc->comment_content; + $myrow['comment_karma']=$postc->comment_karma; + $myrow['comment_approved']=$postc->comment_approved; + if (strstr($myrow['comment_content'], '')) { + $myrow['comment_type'] = 'trackback'; + } elseif (strstr($myrow['comment_content'], '')) { + $myrow['comment_type'] = 'pingback'; + } else { + $myrow['comment_type'] = 'comment'; + } + } + return $myrow; +} + +function pingback($content, $post_ID) { + global $wp_version, $wpdb; + include_once (ABSPATH . WPINC . '/class-IXR.php'); + + // original code by Mort (http://mort.mine.nu:8080) + $log = debug_fopen(ABSPATH . '/pingback.log', 'a'); + $post_links = array(); + debug_fwrite($log, 'BEGIN '.date('YmdHis', time())."\n"); + + $pung = get_pung($post_ID); + + // Variables + $ltrs = '\w'; + $gunk = '/#~:.?+=&%@!\-'; + $punc = '.:?\-'; + $any = $ltrs . $gunk . $punc; + + // Step 1 + // Parsing the post, external links (if any) are stored in the $post_links array + // This regexp comes straight from phpfreaks.com + // http://www.phpfreaks.com/quickcode/Extract_All_URLs_on_a_Page/15.php + preg_match_all("{\b http : [$any] +? (?= [$punc] * [^$any] | $)}x", $content, $post_links_temp); + + // Debug + debug_fwrite($log, 'Post contents:'); + debug_fwrite($log, $content."\n"); + + // Step 2. + // Walking thru the links array + // first we get rid of links pointing to sites, not to specific files + // Example: + // http://dummy-weblog.org + // http://dummy-weblog.org/ + // http://dummy-weblog.org/post.php + // We don't wanna ping first and second types, even if they have a valid + + foreach($post_links_temp[0] as $link_test) : + if ( !in_array($link_test, $pung) ) : // If we haven't pung it already + $test = parse_url($link_test); + if (isset($test['query'])) + $post_links[] = $link_test; + elseif(($test['path'] != '/') && ($test['path'] != '')) + $post_links[] = $link_test; + endif; + endforeach; + + foreach ($post_links as $pagelinkedto){ + debug_fwrite($log, "Processing -- $pagelinkedto\n"); + $pingback_server_url = discover_pingback_server_uri($pagelinkedto, 2048); + + if ($pingback_server_url) { + set_time_limit( 60 ); + // Now, the RPC call + debug_fwrite($log, "Page Linked To: $pagelinkedto \n"); + debug_fwrite($log, 'Page Linked From: '); + $pagelinkedfrom = get_permalink($post_ID); + debug_fwrite($log, $pagelinkedfrom."\n"); + + // using a timeout of 3 seconds should be enough to cover slow servers + $client = new IXR_Client($pingback_server_url); + $client->timeout = 3; + $client->useragent .= ' -- WordPress/' . $wp_version; + + // when set to true, this outputs debug messages by itself + $client->debug = false; + $client->query('pingback.ping', array($pagelinkedfrom, $pagelinkedto)); + + if ( !$client->query('pingback.ping', array($pagelinkedfrom, $pagelinkedto) ) ) + debug_fwrite($log, "Error.\n Fault code: ".$client->getErrorCode()." : ".$client->getErrorMessage()."\n"); + else + add_ping( $post_ID, $pagelinkedto ); + } + } + + debug_fwrite($log, "\nEND: ".time()."\n****************************\n"); + debug_fclose($log); +} + +function discover_pingback_server_uri($url, $timeout_bytes = 2048) { + + $byte_count = 0; + $contents = ''; + $headers = ''; + $pingback_str_dquote = 'rel="pingback"'; + $pingback_str_squote = 'rel=\'pingback\''; + $x_pingback_str = 'x-pingback: '; + $pingback_href_original_pos = 27; + + extract(parse_url($url)); + + if (!isset($host)) { + // Not an URL. This should never happen. + return false; + } + + $path = (!isset($path)) ? '/' : $path; + $path .= (isset($query)) ? '?'.$query : ''; + $port = (isset($port)) ? $port : 80; + + // Try to connect to the server at $host + $fp = @fsockopen($host, $port, $errno, $errstr, 2); + if (!$fp) { + // Couldn't open a connection to $host; + return false; + } + + // Send the GET request + $request = "GET $path HTTP/1.1\r\nHost: $host\r\nUser-Agent: WordPress/$wp_version PHP/" . phpversion() . "\r\n\r\n"; + ob_end_flush(); + fputs($fp, $request); + + // Let's check for an X-Pingback header first + while (!feof($fp)) { + $line = fgets($fp, 512); + if (trim($line) == '') { + break; + } + $headers .= trim($line)."\n"; + $x_pingback_header_offset = strpos(strtolower($headers), $x_pingback_str); + if ($x_pingback_header_offset) { + // We got it! + preg_match('#x-pingback: (.+)#is', $headers, $matches); + $pingback_server_url = trim($matches[1]); + return $pingback_server_url; + } + if(strpos(strtolower($headers), 'content-type: ')) { + preg_match('#content-type: (.+)#is', $headers, $matches); + $content_type = trim($matches[1]); + } + } + + if (preg_match('#(image|audio|video|model)/#is', $content_type)) { + // Not an (x)html, sgml, or xml page, no use going further + return false; + } + + while (!feof($fp)) { + $line = fgets($fp, 1024); + $contents .= trim($line); + $pingback_link_offset_dquote = strpos($contents, $pingback_str_dquote); + $pingback_link_offset_squote = strpos($contents, $pingback_str_squote); + if ($pingback_link_offset_dquote || $pingback_link_offset_squote) { + $quote = ($pingback_link_offset_dquote) ? '"' : '\''; + $pingback_link_offset = ($quote=='"') ? $pingback_link_offset_dquote : $pingback_link_offset_squote; + $pingback_href_pos = @strpos($contents, 'href=', $pingback_link_offset); + $pingback_href_start = $pingback_href_pos+6; + $pingback_href_end = @strpos($contents, $quote, $pingback_href_start); + $pingback_server_url_len = $pingback_href_end - $pingback_href_start; + $pingback_server_url = substr($contents, $pingback_href_start, $pingback_server_url_len); + // We may find rel="pingback" but an incomplete pingback URI + if ($pingback_server_url_len > 0) { + // We got it! + return $pingback_server_url; + } + } + $byte_count += strlen($line); + if ($byte_count > $timeout_bytes) { + // It's no use going further, there probably isn't any pingback + // server to find in this file. (Prevents loading large files.) + return false; + } + } + + // We didn't find anything. + return false; +} + + +/* wp_set_comment_status: + part of otaku42's comment moderation hack + changes the status of a comment according to $comment_status. + allowed values: + hold : set comment_approve field to 0 + approve: set comment_approve field to 1 + delete : remove comment out of database + + returns true if change could be applied + returns false on database error or invalid value for $comment_status + */ +function wp_set_comment_status($comment_id, $comment_status) { + global $wpdb; + + switch($comment_status) { + case 'hold': + $query = "UPDATE $wpdb->comments SET comment_approved='0' WHERE comment_ID='$comment_id' LIMIT 1"; + break; + case 'approve': + $query = "UPDATE $wpdb->comments SET comment_approved='1' WHERE comment_ID='$comment_id' LIMIT 1"; + break; + case 'delete': + $query = "DELETE FROM $wpdb->comments WHERE comment_ID='$comment_id' LIMIT 1"; + break; + default: + return false; + } + + if ($wpdb->query($query)) { + do_action('wp_set_comment_status', $comment_id); + return true; + } else { + return false; + } +} + + +/* wp_get_comment_status + part of otaku42's comment moderation hack + gets the current status of a comment + + returned values: + "approved" : comment has been approved + "unapproved": comment has not been approved + "deleted ": comment not found in database + + a (boolean) false signals an error + */ +function wp_get_comment_status($comment_id) { + global $wpdb; + + $result = $wpdb->get_var("SELECT comment_approved FROM $wpdb->comments WHERE comment_ID='$comment_id' LIMIT 1"); + if ($result == NULL) { + return "deleted"; + } else if ($result == "1") { + return "approved"; + } else if ($result == "0") { + return "unapproved"; + } else { + return false; + } +} + +function wp_notify_postauthor($comment_id, $comment_type='comment') { + global $wpdb; + global $querystring_start, $querystring_equal, $querystring_separator; + + $comment = $wpdb->get_row("SELECT * FROM $wpdb->comments WHERE comment_ID='$comment_id' LIMIT 1"); + $post = $wpdb->get_row("SELECT * FROM $wpdb->posts WHERE ID='$comment->comment_post_ID' LIMIT 1"); + $user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE ID='$post->post_author' LIMIT 1"); + + if ('' == $user->user_email) return false; // If there's no email to send the comment to + + $comment_author_domain = gethostbyaddr($comment->comment_author_IP); + + $blogname = get_settings('blogname'); + + if ('comment' == $comment_type) { + $notify_message = "New comment on your post #$comment->comment_post_ID \"".$post->post_title."\"\r\n\r\n"; + $notify_message .= "Author : $comment->comment_author (IP: $comment->comment_author_IP , $comment_author_domain)\r\n"; + $notify_message .= "E-mail : $comment->comment_author_email\r\n"; + $notify_message .= "URI : $comment->comment_author_url\r\n"; + $notify_message .= "Whois : http://ws.arin.net/cgi-bin/whois.pl?queryinput=$comment->comment_author_IP\r\n"; + $notify_message .= "Comment:\r\n".$comment->comment_content."\r\n\r\n"; + $notify_message .= "You can see all comments on this post here: \r\n"; + $subject = '[' . $blogname . '] Comment: "' .$post->post_title.'"'; + } elseif ('trackback' == $comment_type) { + $notify_message = "New trackback on your post #$comment_post_ID \"".$post->post_title."\"\r\n\r\n"; + $notify_message .= "Website: $comment->comment_author (IP: $comment->comment_author_IP , $comment_author_domain)\r\n"; + $notify_message .= "URI : $comment->comment_author_url\r\n"; + $notify_message .= "Excerpt: \n".$comment->comment_content."\r\n\r\n"; + $notify_message .= "You can see all trackbacks on this post here: \r\n"; + $subject = '[' . $blogname . '] Trackback: "' .$post->post_title.'"'; + } elseif ('pingback' == $comment_type) { + $notify_message = "New pingback on your post #$comment_post_ID \"".$post->post_title."\"\r\n\r\n"; + $notify_message .= "Website: $comment->comment_author\r\n"; + $notify_message .= "URI : $comment->comment_author_url\r\n"; + $notify_message .= "Excerpt: \n[...] $original_context [...]\r\n\r\n"; + $notify_message .= "You can see all pingbacks on this post here: \r\n"; + $subject = '[' . $blogname . '] Pingback: "' .$post->post_title.'"'; + } + $notify_message .= get_permalink($comment->comment_post_ID) . '#comments'; + + if ('' == $comment->comment_author_email || '' == $comment->comment_author) { + $from = "From: \"$blogname\" '; + } else { + $from = 'From: "' . $comment->comment_author . "\" <$comment->comment_author_email>"; + } + + $message_headers = "MIME-Version: 1.0\n" + . "$from\n" + . "Content-Type: text/plain; charset=\"" . get_settings('blog_charset') . "\"\n"; + + @wp_mail($user->user_email, $subject, $notify_message, $message_headers); + + return true; +} + +/* wp_notify_moderator + notifies the moderator of the blog (usually the admin) + about a new comment that waits for approval + always returns true + */ +function wp_notify_moderator($comment_id) { + global $wpdb; + global $querystring_start, $querystring_equal, $querystring_separator; + + if( get_settings( "moderation_notify" ) == 0 ) + return true; + + $comment = $wpdb->get_row("SELECT * FROM $wpdb->comments WHERE comment_ID='$comment_id' LIMIT 1"); + $post = $wpdb->get_row("SELECT * FROM $wpdb->posts WHERE ID='$comment->comment_post_ID' LIMIT 1"); + $user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE ID='$post->post_author' LIMIT 1"); + + $comment_author_domain = gethostbyaddr($comment->comment_author_IP); + $comments_waiting = $wpdb->get_var("SELECT count(comment_ID) FROM $wpdb->comments WHERE comment_approved = '0'"); + + $notify_message = "A new comment on the post #$comment->comment_post_ID \"".$post->post_title."\" is waiting for your approval\r\n\r\n"; + $notify_message .= "Author : $comment->comment_author (IP: $comment->comment_author_IP , $comment_author_domain)\r\n"; + $notify_message .= "E-mail : $comment->comment_author_email\r\n"; + $notify_message .= "URL : $comment->comment_author_url\r\n"; + $notify_message .= "Whois : http://ws.arin.net/cgi-bin/whois.pl?queryinput=$comment->comment_author_IP\r\n"; + $notify_message .= "Comment:\r\n".$comment->comment_content."\r\n\r\n"; + $notify_message .= "To approve this comment, visit: " . get_settings('siteurl') . "/wp-admin/post.php?action=mailapprovecomment&p=".$comment->comment_post_ID."&comment=$comment_id\r\n"; + $notify_message .= "To delete this comment, visit: " . get_settings('siteurl') . "/wp-admin/post.php?action=confirmdeletecomment&p=".$comment->comment_post_ID."&comment=$comment_id\r\n"; + $notify_message .= "Currently $comments_waiting comments are waiting for approval. Please visit the moderation panel:\r\n"; + $notify_message .= get_settings('siteurl') . "/wp-admin/moderation.php\r\n"; + + $subject = '[' . get_settings('blogname') . '] Please approve: "' .$post->post_title.'"'; + $admin_email = get_settings("admin_email"); + $from = "From: $admin_email"; + + $message_headers = "MIME-Version: 1.0\n" + . "$from\n" + . "Content-Type: text/plain; charset=\"" . get_settings('blog_charset') . "\"\n"; + + @wp_mail($admin_email, $subject, $notify_message, $message_headers); + + return true; +} + +function check_comment($author, $email, $url, $comment, $user_ip, $user_agent) { + global $wpdb; + + if (1 == get_settings('comment_moderation')) return false; // If moderation is set to manual + + if ( (count(explode('http:', $comment)) - 1) >= get_settings('comment_max_links') ) + return false; // Check # of external links + + // Comment whitelisting: + if ( 1 == get_settings('comment_whitelist')) { + if( $author != '' && $email != '' ) { + $ok_to_comment = $wpdb->get_var("SELECT comment_approved FROM $wpdb->comments WHERE comment_author_email = '$email' and comment_approved = '1' "); + if ( 1 == $ok_to_comment && false === strpos( $email, get_settings('moderation_keys')) ) + return true; + } else { + return false; + } + } + + // Useless numeric encoding is a pretty good spam indicator: + // Extract entities: + if (preg_match_all('/&#(\d+);/',$comment,$chars)) { + foreach ($chars[1] as $char) { + // If it's an encoded char in the normal ASCII set, reject + if ($char < 128) + return false; + } + } + + $mod_keys = trim( get_settings('moderation_keys') ); + if ('' == $mod_keys ) + return true; // If moderation keys are empty + $words = explode("\n", $mod_keys ); + + foreach ($words as $word) { + $word = trim($word); + + // Skip empty lines + if (empty($word)) { continue; } + + // Do some escaping magic so that '#' chars in the + // spam words don't break things: + $word = preg_quote($word, '#'); + + $pattern = "#$word#i"; + if ( preg_match($pattern, $author) ) return false; + if ( preg_match($pattern, $email) ) return false; + if ( preg_match($pattern, $url) ) return false; + if ( preg_match($pattern, $comment) ) return false; + if ( preg_match($pattern, $user_ip) ) return false; + if ( preg_match($pattern, $user_agent) ) return false; + } + + return true; +} + +?> \ No newline at end of file diff --git a/wp-includes/functions-formatting.php b/wp-includes/functions-formatting.php index f3945d34a5..1c00c8b2b1 100644 --- a/wp-includes/functions-formatting.php +++ b/wp-includes/functions-formatting.php @@ -546,4 +546,8 @@ function popuplinks($text) { return $text; } +function sanitize_email($email) { + return preg_replace('/[^a-z0-9+_.@-]/i', '', $email); +} + ?> \ No newline at end of file diff --git a/wp-includes/functions-post.php b/wp-includes/functions-post.php index 0e20fcb2d7..f3073c8fe5 100644 --- a/wp-includes/functions-post.php +++ b/wp-includes/functions-post.php @@ -382,41 +382,36 @@ function user_can_edit_user($user_id, $other_user) { } -function wp_new_comment($commentdata) { +function wp_new_comment( $commentdata ) { global $wpdb; + extract($commentdata); $comment_post_ID = (int) $comment_post_ID; - $comment_author = strip_tags($comment_author); - $comment_author = wp_specialchars($comment_author); + $author = apply_filters('pre_comment_author_name', $comment_author); + $email = apply_filters('pre_comment_author_email', $comment_author_email); + $url = apply_filters('pre_comment_author_url', $comment_author_url); + $comment = apply_filters('pre_comment_content', $comment_content); + $comment = apply_filters('post_comment_text', $comment); // Deprecated + $comment = apply_filters('comment_content_presave', $comment_content); // Deprecated - $comment_author_email = preg_replace('/[^a-z+_.@-]/i', '', $comment_author_email); + $user_ip = apply_filters('pre_comment_user_ip', $_SERVER['REMOTE_ADDR']); + $user_domain = apply_filters('pre_comment_user_domain', gethostbyaddr($user_ip) ); + $user_agent = apply_filters('pre_comment_user_agent', $_SERVER['HTTP_USER_AGENT']); - $comment_author_url = strip_tags($comment_author_url); - $comment_author_url = wp_specialchars($comment_author_url); - - $comment_content = apply_filters('comment_content_presave', $comment_content); - - $user_ip = addslashes($_SERVER['REMOTE_ADDR']); - $user_domain = addslashes( gethostbyaddr($user_ip) ); - $now = current_time('mysql'); + $now = current_time('mysql'); $now_gmt = current_time('mysql', 1); - $user_agent = addslashes($_SERVER['HTTP_USER_AGENT']); - - if ( (!isset($comment_type)) || (($comment_type != 'trackback') && ($comment_type != 'pingback')) ) { - $comment_type = ''; - } // Simple flood-protection - if ( $lasttime = $wpdb->get_var("SELECT comment_date FROM $wpdb->comments WHERE comment_author_IP = '$user_ip' ORDER BY comment_date DESC LIMIT 1") ) { - $time_lastcomment= mysql2date('U', $lasttime); - $time_newcomment= mysql2date('U', $now); + if ( $lasttime = $wpdb->get_var("SELECT comment_date_gmt FROM $wpdb->comments WHERE comment_author_IP = '$user_ip' OR comment_author_email = '$email' ORDER BY comment_date DESC LIMIT 1") ) { + $time_lastcomment = mysql2date('U', $lasttime); + $time_newcomment = mysql2date('U', $now_gmt); if ( ($time_newcomment - $time_lastcomment) < 15 ) die( __('Sorry, you can only post a new comment once every 15 seconds. Slow down cowboy.') ); } - if( check_comment($comment_author, $comment_author_email, $comment_author_url, $comment_content, $user_ip, $user_agent) ) + if( check_comment($author, $email, $url, $comment, $user_ip, $user_agent) ) $approved = 1; else $approved = 0; @@ -427,8 +422,14 @@ function wp_new_comment($commentdata) { ('$comment_post_ID', '$comment_author', '$comment_author_email', '$comment_author_url', '$user_ip', '$now', '$now_gmt', '$comment_content', '$approved', '$user_agent', '$comment_type') "); - if ( get_option('comments_notify') ) - wp_notify_postauthor($wpdb->insert_id, $comment_type); + $comment_id = $wpdb->insert_id; + do_action('comment_post', $comment_id); + + if ( !$approved ) + wp_notify_moderator($comment_ID); + + if ( get_settings('comments_notify') && $approved ) + wp_notify_postauthor($comment_ID, 'comment'); return $result; } diff --git a/wp-includes/functions.php b/wp-includes/functions.php index b1e83b90b2..ed7d20d488 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -144,30 +144,6 @@ function get_lastpostmodified($timezone = 'server') { return $lastpostmodified; } -function get_lastcommentmodified($timezone = 'server') { - global $tablecomments, $cache_lastcommentmodified, $pagenow, $wpdb; - $add_seconds_blog = get_settings('gmt_offset') * 3600; - $add_seconds_server = date('Z'); - $now = current_time('mysql', 1); - if ( !isset($cache_lastcommentmodified[$timezone]) ) { - switch(strtolower($timezone)) { - case 'gmt': - $lastcommentmodified = $wpdb->get_var("SELECT comment_date_gmt FROM $tablecomments WHERE comment_date_gmt <= '$now' ORDER BY comment_date_gmt DESC LIMIT 1"); - break; - case 'blog': - $lastcommentmodified = $wpdb->get_var("SELECT comment_date FROM $tablecomments WHERE comment_date_gmt <= '$now' ORDER BY comment_date_gmt DESC LIMIT 1"); - break; - case 'server': - $lastcommentmodified = $wpdb->get_var("SELECT DATE_ADD(comment_date_gmt, INTERVAL '$add_seconds_server' SECOND) FROM $tablecomments WHERE comment_date_gmt <= '$now' ORDER BY comment_date_gmt DESC LIMIT 1"); - break; - } - $cache_lastcommentmodified[$timezone] = $lastcommentmodified; - } else { - $lastcommentmodified = $cache_lastcommentmodified[$timezone]; - } - return $lastcommentmodified; -} - function user_pass_ok($user_login,$user_pass) { global $cache_userdata; if ( empty($cache_userdata[$user_login]) ) { @@ -552,36 +528,6 @@ function get_postdata($postid) { return $postdata; } -function get_commentdata($comment_ID,$no_cache=0,$include_unapproved=false) { // less flexible, but saves DB queries - global $postc,$id,$commentdata, $wpdb; - if ($no_cache) { - $query = "SELECT * FROM $wpdb->comments WHERE comment_ID = '$comment_ID'"; - if (false == $include_unapproved) { - $query .= " AND comment_approved = '1'"; - } - $myrow = $wpdb->get_row($query, ARRAY_A); - } else { - $myrow['comment_ID']=$postc->comment_ID; - $myrow['comment_post_ID']=$postc->comment_post_ID; - $myrow['comment_author']=$postc->comment_author; - $myrow['comment_author_email']=$postc->comment_author_email; - $myrow['comment_author_url']=$postc->comment_author_url; - $myrow['comment_author_IP']=$postc->comment_author_IP; - $myrow['comment_date']=$postc->comment_date; - $myrow['comment_content']=$postc->comment_content; - $myrow['comment_karma']=$postc->comment_karma; - $myrow['comment_approved']=$postc->comment_approved; - if (strstr($myrow['comment_content'], '')) { - $myrow['comment_type'] = 'trackback'; - } elseif (strstr($myrow['comment_content'], '')) { - $myrow['comment_type'] = 'pingback'; - } else { - $myrow['comment_type'] = 'comment'; - } - } - return $myrow; -} - function get_catname($cat_ID) { global $cache_catnames, $wpdb; if ( !$cache_catnames ) { @@ -845,336 +791,6 @@ function do_enclose( $content, $post_ID ) { } } -function pingback($content, $post_ID) { - global $wp_version, $wpdb; - include_once (ABSPATH . WPINC . '/class-IXR.php'); - - // original code by Mort (http://mort.mine.nu:8080) - $log = debug_fopen(ABSPATH . '/pingback.log', 'a'); - $post_links = array(); - debug_fwrite($log, 'BEGIN '.date('YmdHis', time())."\n"); - - $pung = get_pung($post_ID); - - // Variables - $ltrs = '\w'; - $gunk = '/#~:.?+=&%@!\-'; - $punc = '.:?\-'; - $any = $ltrs . $gunk . $punc; - - // Step 1 - // Parsing the post, external links (if any) are stored in the $post_links array - // This regexp comes straight from phpfreaks.com - // http://www.phpfreaks.com/quickcode/Extract_All_URLs_on_a_Page/15.php - preg_match_all("{\b http : [$any] +? (?= [$punc] * [^$any] | $)}x", $content, $post_links_temp); - - // Debug - debug_fwrite($log, 'Post contents:'); - debug_fwrite($log, $content."\n"); - - // Step 2. - // Walking thru the links array - // first we get rid of links pointing to sites, not to specific files - // Example: - // http://dummy-weblog.org - // http://dummy-weblog.org/ - // http://dummy-weblog.org/post.php - // We don't wanna ping first and second types, even if they have a valid - - foreach($post_links_temp[0] as $link_test) : - if ( !in_array($link_test, $pung) ) : // If we haven't pung it already - $test = parse_url($link_test); - if (isset($test['query'])) - $post_links[] = $link_test; - elseif(($test['path'] != '/') && ($test['path'] != '')) - $post_links[] = $link_test; - endif; - endforeach; - - foreach ($post_links as $pagelinkedto){ - debug_fwrite($log, "Processing -- $pagelinkedto\n"); - $pingback_server_url = discover_pingback_server_uri($pagelinkedto, 2048); - - if ($pingback_server_url) { - set_time_limit( 60 ); - // Now, the RPC call - debug_fwrite($log, "Page Linked To: $pagelinkedto \n"); - debug_fwrite($log, 'Page Linked From: '); - $pagelinkedfrom = get_permalink($post_ID); - debug_fwrite($log, $pagelinkedfrom."\n"); - - // using a timeout of 3 seconds should be enough to cover slow servers - $client = new IXR_Client($pingback_server_url); - $client->timeout = 3; - $client->useragent .= ' -- WordPress/' . $wp_version; - - // when set to true, this outputs debug messages by itself - $client->debug = false; - $client->query('pingback.ping', array($pagelinkedfrom, $pagelinkedto)); - - if ( !$client->query('pingback.ping', array($pagelinkedfrom, $pagelinkedto) ) ) - debug_fwrite($log, "Error.\n Fault code: ".$client->getErrorCode()." : ".$client->getErrorMessage()."\n"); - else - add_ping( $post_ID, $pagelinkedto ); - } - } - - debug_fwrite($log, "\nEND: ".time()."\n****************************\n"); - debug_fclose($log); -} - -function discover_pingback_server_uri($url, $timeout_bytes = 2048) { - - $byte_count = 0; - $contents = ''; - $headers = ''; - $pingback_str_dquote = 'rel="pingback"'; - $pingback_str_squote = 'rel=\'pingback\''; - $x_pingback_str = 'x-pingback: '; - $pingback_href_original_pos = 27; - - extract(parse_url($url)); - - if (!isset($host)) { - // Not an URL. This should never happen. - return false; - } - - $path = (!isset($path)) ? '/' : $path; - $path .= (isset($query)) ? '?'.$query : ''; - $port = (isset($port)) ? $port : 80; - - // Try to connect to the server at $host - $fp = @fsockopen($host, $port, $errno, $errstr, 2); - if (!$fp) { - // Couldn't open a connection to $host; - return false; - } - - // Send the GET request - $request = "GET $path HTTP/1.1\r\nHost: $host\r\nUser-Agent: WordPress/$wp_version PHP/" . phpversion() . "\r\n\r\n"; - ob_end_flush(); - fputs($fp, $request); - - // Let's check for an X-Pingback header first - while (!feof($fp)) { - $line = fgets($fp, 512); - if (trim($line) == '') { - break; - } - $headers .= trim($line)."\n"; - $x_pingback_header_offset = strpos(strtolower($headers), $x_pingback_str); - if ($x_pingback_header_offset) { - // We got it! - preg_match('#x-pingback: (.+)#is', $headers, $matches); - $pingback_server_url = trim($matches[1]); - return $pingback_server_url; - } - if(strpos(strtolower($headers), 'content-type: ')) { - preg_match('#content-type: (.+)#is', $headers, $matches); - $content_type = trim($matches[1]); - } - } - - if (preg_match('#(image|audio|video|model)/#is', $content_type)) { - // Not an (x)html, sgml, or xml page, no use going further - return false; - } - - while (!feof($fp)) { - $line = fgets($fp, 1024); - $contents .= trim($line); - $pingback_link_offset_dquote = strpos($contents, $pingback_str_dquote); - $pingback_link_offset_squote = strpos($contents, $pingback_str_squote); - if ($pingback_link_offset_dquote || $pingback_link_offset_squote) { - $quote = ($pingback_link_offset_dquote) ? '"' : '\''; - $pingback_link_offset = ($quote=='"') ? $pingback_link_offset_dquote : $pingback_link_offset_squote; - $pingback_href_pos = @strpos($contents, 'href=', $pingback_link_offset); - $pingback_href_start = $pingback_href_pos+6; - $pingback_href_end = @strpos($contents, $quote, $pingback_href_start); - $pingback_server_url_len = $pingback_href_end - $pingback_href_start; - $pingback_server_url = substr($contents, $pingback_href_start, $pingback_server_url_len); - // We may find rel="pingback" but an incomplete pingback URI - if ($pingback_server_url_len > 0) { - // We got it! - return $pingback_server_url; - } - } - $byte_count += strlen($line); - if ($byte_count > $timeout_bytes) { - // It's no use going further, there probably isn't any pingback - // server to find in this file. (Prevents loading large files.) - return false; - } - } - - // We didn't find anything. - return false; -} - - -/* wp_set_comment_status: - part of otaku42's comment moderation hack - changes the status of a comment according to $comment_status. - allowed values: - hold : set comment_approve field to 0 - approve: set comment_approve field to 1 - delete : remove comment out of database - - returns true if change could be applied - returns false on database error or invalid value for $comment_status - */ -function wp_set_comment_status($comment_id, $comment_status) { - global $wpdb; - - switch($comment_status) { - case 'hold': - $query = "UPDATE $wpdb->comments SET comment_approved='0' WHERE comment_ID='$comment_id' LIMIT 1"; - break; - case 'approve': - $query = "UPDATE $wpdb->comments SET comment_approved='1' WHERE comment_ID='$comment_id' LIMIT 1"; - break; - case 'delete': - $query = "DELETE FROM $wpdb->comments WHERE comment_ID='$comment_id' LIMIT 1"; - break; - default: - return false; - } - - if ($wpdb->query($query)) { - do_action('wp_set_comment_status', $comment_id); - return true; - } else { - return false; - } -} - - -/* wp_get_comment_status - part of otaku42's comment moderation hack - gets the current status of a comment - - returned values: - "approved" : comment has been approved - "unapproved": comment has not been approved - "deleted ": comment not found in database - - a (boolean) false signals an error - */ -function wp_get_comment_status($comment_id) { - global $wpdb; - - $result = $wpdb->get_var("SELECT comment_approved FROM $wpdb->comments WHERE comment_ID='$comment_id' LIMIT 1"); - if ($result == NULL) { - return "deleted"; - } else if ($result == "1") { - return "approved"; - } else if ($result == "0") { - return "unapproved"; - } else { - return false; - } -} - -function wp_notify_postauthor($comment_id, $comment_type='comment') { - global $wpdb; - global $querystring_start, $querystring_equal, $querystring_separator; - - $comment = $wpdb->get_row("SELECT * FROM $wpdb->comments WHERE comment_ID='$comment_id' LIMIT 1"); - $post = $wpdb->get_row("SELECT * FROM $wpdb->posts WHERE ID='$comment->comment_post_ID' LIMIT 1"); - $user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE ID='$post->post_author' LIMIT 1"); - - if ('' == $user->user_email) return false; // If there's no email to send the comment to - - $comment_author_domain = gethostbyaddr($comment->comment_author_IP); - - $blogname = get_settings('blogname'); - - if ('comment' == $comment_type) { - $notify_message = "New comment on your post #$comment->comment_post_ID \"".$post->post_title."\"\r\n\r\n"; - $notify_message .= "Author : $comment->comment_author (IP: $comment->comment_author_IP , $comment_author_domain)\r\n"; - $notify_message .= "E-mail : $comment->comment_author_email\r\n"; - $notify_message .= "URI : $comment->comment_author_url\r\n"; - $notify_message .= "Whois : http://ws.arin.net/cgi-bin/whois.pl?queryinput=$comment->comment_author_IP\r\n"; - $notify_message .= "Comment:\r\n".$comment->comment_content."\r\n\r\n"; - $notify_message .= "You can see all comments on this post here: \r\n"; - $subject = '[' . $blogname . '] Comment: "' .$post->post_title.'"'; - } elseif ('trackback' == $comment_type) { - $notify_message = "New trackback on your post #$comment_post_ID \"".$post->post_title."\"\r\n\r\n"; - $notify_message .= "Website: $comment->comment_author (IP: $comment->comment_author_IP , $comment_author_domain)\r\n"; - $notify_message .= "URI : $comment->comment_author_url\r\n"; - $notify_message .= "Excerpt: \n".$comment->comment_content."\r\n\r\n"; - $notify_message .= "You can see all trackbacks on this post here: \r\n"; - $subject = '[' . $blogname . '] Trackback: "' .$post->post_title.'"'; - } elseif ('pingback' == $comment_type) { - $notify_message = "New pingback on your post #$comment_post_ID \"".$post->post_title."\"\r\n\r\n"; - $notify_message .= "Website: $comment->comment_author\r\n"; - $notify_message .= "URI : $comment->comment_author_url\r\n"; - $notify_message .= "Excerpt: \n[...] $original_context [...]\r\n\r\n"; - $notify_message .= "You can see all pingbacks on this post here: \r\n"; - $subject = '[' . $blogname . '] Pingback: "' .$post->post_title.'"'; - } - $notify_message .= get_permalink($comment->comment_post_ID) . '#comments'; - - if ('' == $comment->comment_author_email || '' == $comment->comment_author) { - $from = "From: \"$blogname\" '; - } else { - $from = 'From: "' . $comment->comment_author . "\" <$comment->comment_author_email>"; - } - - $message_headers = "MIME-Version: 1.0\n" - . "$from\n" - . "Content-Type: text/plain; charset=\"" . get_settings('blog_charset') . "\"\n"; - - @wp_mail($user->user_email, $subject, $notify_message, $message_headers); - - return true; -} - -/* wp_notify_moderator - notifies the moderator of the blog (usually the admin) - about a new comment that waits for approval - always returns true - */ -function wp_notify_moderator($comment_id) { - global $wpdb; - global $querystring_start, $querystring_equal, $querystring_separator; - - if( get_settings( "moderation_notify" ) == 0 ) - return true; - - $comment = $wpdb->get_row("SELECT * FROM $wpdb->comments WHERE comment_ID='$comment_id' LIMIT 1"); - $post = $wpdb->get_row("SELECT * FROM $wpdb->posts WHERE ID='$comment->comment_post_ID' LIMIT 1"); - $user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE ID='$post->post_author' LIMIT 1"); - - $comment_author_domain = gethostbyaddr($comment->comment_author_IP); - $comments_waiting = $wpdb->get_var("SELECT count(comment_ID) FROM $wpdb->comments WHERE comment_approved = '0'"); - - $notify_message = "A new comment on the post #$comment->comment_post_ID \"".$post->post_title."\" is waiting for your approval\r\n\r\n"; - $notify_message .= "Author : $comment->comment_author (IP: $comment->comment_author_IP , $comment_author_domain)\r\n"; - $notify_message .= "E-mail : $comment->comment_author_email\r\n"; - $notify_message .= "URL : $comment->comment_author_url\r\n"; - $notify_message .= "Whois : http://ws.arin.net/cgi-bin/whois.pl?queryinput=$comment->comment_author_IP\r\n"; - $notify_message .= "Comment:\r\n".$comment->comment_content."\r\n\r\n"; - $notify_message .= "To approve this comment, visit: " . get_settings('siteurl') . "/wp-admin/post.php?action=mailapprovecomment&p=".$comment->comment_post_ID."&comment=$comment_id\r\n"; - $notify_message .= "To delete this comment, visit: " . get_settings('siteurl') . "/wp-admin/post.php?action=confirmdeletecomment&p=".$comment->comment_post_ID."&comment=$comment_id\r\n"; - $notify_message .= "Currently $comments_waiting comments are waiting for approval. Please visit the moderation panel:\r\n"; - $notify_message .= get_settings('siteurl') . "/wp-admin/moderation.php\r\n"; - - $subject = '[' . get_settings('blogname') . '] Please approve: "' .$post->post_title.'"'; - $admin_email = get_settings("admin_email"); - $from = "From: $admin_email"; - - $message_headers = "MIME-Version: 1.0\n" - . "$from\n" - . "Content-Type: text/plain; charset=\"" . get_settings('blog_charset') . "\"\n"; - - @wp_mail($admin_email, $subject, $notify_message, $message_headers); - - return true; -} - - function start_wp($use_wp_query = false) { global $post, $id, $postdata, $authordata, $day, $preview, $page, $pages, $multipage, $more, $numpages, $wp_query; global $pagenow; @@ -1343,62 +959,6 @@ function get_posts($args) { return $posts; } -function check_comment($author, $email, $url, $comment, $user_ip, $user_agent) { - global $wpdb; - - if (1 == get_settings('comment_moderation')) return false; // If moderation is set to manual - - if ( (count(explode('http:', $comment)) - 1) >= get_settings('comment_max_links') ) - return false; // Check # of external links - - // Comment whitelisting: - if ( 1 == get_settings('comment_whitelist')) { - if( $author != '' && $email != '' ) { - $ok_to_comment = $wpdb->get_var("SELECT comment_approved FROM $wpdb->comments WHERE comment_author_email = '$email' and comment_approved = '1' "); - if ( 1 == $ok_to_comment && false === strpos( $email, get_settings('moderation_keys')) ) - return true; - } else { - return false; - } - } - - // Useless numeric encoding is a pretty good spam indicator: - // Extract entities: - if (preg_match_all('/&#(\d+);/',$comment,$chars)) { - foreach ($chars[1] as $char) { - // If it's an encoded char in the normal ASCII set, reject - if ($char < 128) - return false; - } - } - - $mod_keys = trim( get_settings('moderation_keys') ); - if ('' == $mod_keys ) - return true; // If moderation keys are empty - $words = explode("\n", $mod_keys ); - - foreach ($words as $word) { - $word = trim($word); - - // Skip empty lines - if (empty($word)) { continue; } - - // Do some escaping magic so that '#' chars in the - // spam words don't break things: - $word = preg_quote($word, '#'); - - $pattern = "#$word#i"; - if ( preg_match($pattern, $author) ) return false; - if ( preg_match($pattern, $email) ) return false; - if ( preg_match($pattern, $url) ) return false; - if ( preg_match($pattern, $comment) ) return false; - if ( preg_match($pattern, $user_ip) ) return false; - if ( preg_match($pattern, $user_agent) ) return false; - } - - return true; -} - function query_posts($query) { global $wp_query; @@ -2084,4 +1644,16 @@ function load_template($file) { include($file); } -?> + +function add_magic_quotes($array) { + foreach ($array as $k => $v) { + if (is_array($v)) { + $array[$k] = add_magic_quotes($v); + } else { + $array[$k] = addslashes($v); + } + } + return $array; +} + +?> \ No newline at end of file diff --git a/wp-includes/kses.php b/wp-includes/kses.php index 5f333fb84f..dac655b4b5 100644 --- a/wp-includes/kses.php +++ b/wp-includes/kses.php @@ -561,8 +561,4 @@ function wp_filter_kses($data) { return wp_kses($data, $allowedtags); } -// Filter untrusted content -add_filter('comment_author', 'wp_filter_kses'); -add_filter('comment_text', 'wp_filter_kses'); - ?> \ No newline at end of file diff --git a/wp-includes/template-functions-comment.php b/wp-includes/template-functions-comment.php deleted file mode 100644 index cc61dc3301..0000000000 --- a/wp-includes/template-functions-comment.php +++ /dev/null @@ -1,354 +0,0 @@ -get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND comment_approved = '1' ORDER BY comment_date"); - - $template = get_template_directory(); - $template .= "/comments.php"; - - if (file_exists($template)) { - include($template); - } else { - include(ABSPATH . 'wp-comments.php'); - } - - endif; -} - -function clean_url($url) { - if ('' == $url) return $url; - $url = preg_replace('|[^a-z0-9-~+_.?#=&;,/:]|i', '', $url); - $url = str_replace(';//', '://', $url); - $url = (!strstr($url, '://')) ? 'http://'.$url : $url; - $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url); - return $url; -} - -function comments_number($zero='No Comments', $one='1 Comment', $more='% Comments', $number='') { - global $id, $comment, $wpdb, $comment_count_cache; - if ('' == $comment_count_cache["$id"]) $number = $wpdb->get_var("SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = $id AND comment_approved = '1'"); - else $number = $comment_count_cache["$id"]; - if ($number == 0) { - $blah = $zero; - } elseif ($number == 1) { - $blah = $one; - } elseif ($number > 1) { - $blah = str_replace('%', $number, $more); - } - echo apply_filters('comments_number', $blah); -} - -function comments_link($file='', $echo=true) { - global $id, $pagenow; - if ($file == '') $file = $pagenow; - if ($file == '/') $file = ''; - if (!$echo) return get_permalink() . '#comments'; - else echo get_permalink() . '#comments'; -} - -function comments_popup_script($width=400, $height=400, $file='') { - global $wpcommentspopupfile, $wptrackbackpopupfile, $wppingbackpopupfile, $wpcommentsjavascript; - - if (empty ($file)) { - $template = TEMPLATEPATH . '/comments-popup.php'; - if (file_exists($template)) { - $wpcommentspopupfile = str_replace(ABSPATH, '', $template); - } else { - $wpcommentspopupfile = 'wp-comments-popup.php'; - } - } else { - $wpcommentspopupfile = $file; - } - - $wpcommentsjavascript = 1; - $javascript = "\n"; - echo $javascript; -} - -function comments_popup_link($zero='No Comments', $one='1 Comment', $more='% Comments', $CSSclass='', $none='Comments Off') { - global $id, $wpcommentspopupfile, $wpcommentsjavascript, $post, $wpdb; - global $querystring_start, $querystring_equal, $querystring_separator; - global $comment_count_cache; - - if (! is_single() && ! is_page()) { - if ('' == $comment_count_cache["$id"]) { - $number = $wpdb->get_var("SELECT COUNT(comment_ID) FROM $wpdb->comments WHERE comment_post_ID = $id AND comment_approved = '1';"); - } else { - $number = $comment_count_cache["$id"]; - } - if (0 == $number && 'closed' == $post->comment_status && 'closed' == $post->ping_status) { - echo $none; - return; - } else { - if (!empty($post->post_password)) { // if there's a password - if ($_COOKIE['wp-postpass_'.COOKIEHASH] != $post->post_password) { // and it doesn't match the cookie - echo('Enter your password to view comments'); - return; - } - } - echo ''; - comments_number($zero, $one, $more, $number); - echo ''; - } - } -} - -function comment_ID() { - global $comment; - echo $comment->comment_ID; -} - -function comment_author() { - global $comment; - $author = apply_filters('comment_author', $comment->comment_author); - if (empty($author)) { - echo 'Anonymous'; - } else { - echo $author; - } -} - -function comment_author_email() { - global $comment; - echo apply_filters('author_email', $comment->comment_author_email); -} - -function comment_author_link() { - global $comment; - $url = apply_filters('comment_url', $comment->comment_author_url); - $author = apply_filters('comment_author', $comment->comment_author); - if (!$author) $author = 'Anonymous'; - - if (empty($url)) : - echo $author; - else: - echo "$author"; - endif; -} - -function comment_type($commenttxt = 'Comment', $trackbacktxt = 'Trackback', $pingbacktxt = 'Pingback') { - global $comment; - switch($comment->comment_type) { - case 'trackback': - echo $trackbacktxt; - break; - case 'pingback': - echo $pingbacktxt; - break; - default: - echo $commenttxt; - } -} - -function comment_author_url() { - global $comment; - echo apply_filters('comment_url', $comment->comment_author_url); -} - -function comment_author_email_link($linktext='', $before='', $after='') { - global $comment; - $email = apply_filters('comment_email', $comment->comment_author_email); - if ((!empty($email)) && ($email != '@')) { - $display = ($linktext != '') ? $linktext : $email; - echo $before; - echo "$display"; - echo $after; - } -} - -function comment_author_url_link($linktext='', $before='', $after='') { - global $comment; - $url = apply_filters('comment_url', $comment->comment_author_url); - - if ((!empty($url)) && ($url != 'http://') && ($url != 'http://url')) { - $display = ($linktext != '') ? $linktext : $url; - echo "$before$display$after"; - } -} - -function comment_author_IP() { - global $comment; - echo $comment->comment_author_IP; -} - -function comment_text() { - global $comment; - $comment_text = str_replace('', '', $comment->comment_content); - $comment_text = str_replace('', '', $comment_text); - echo apply_filters('comment_text', $comment_text); -} - -function comment_excerpt() { - global $comment; - $comment_text = str_replace('', '', $comment->comment_content); - $comment_text = str_replace('', '', $comment_text); - $comment_text = strip_tags($comment_text); - $blah = explode(' ', $comment_text); - if (count($blah) > 20) { - $k = 20; - $use_dotdotdot = 1; - } else { - $k = count($blah); - $use_dotdotdot = 0; - } - $excerpt = ''; - for ($i=0; $i<$k; $i++) { - $excerpt .= $blah[$i] . ' '; - } - $excerpt .= ($use_dotdotdot) ? '...' : ''; - echo apply_filters('comment_excerpt', $excerpt); -} - -function comment_date($d='') { - global $comment; - if ('' == $d) { - echo mysql2date(get_settings('date_format'), $comment->comment_date); - } else { - echo mysql2date($d, $comment->comment_date); - } -} - -function comment_time($d='') { - global $comment; - if ($d == '') { - echo mysql2date(get_settings('time_format'), $comment->comment_date); - } else { - echo mysql2date($d, $comment->comment_date); - } -} - -function comments_rss_link($link_text='Comments RSS', $commentsrssfilename = 'wp-commentsrss2.php') { - $url = comments_rss($commentsrssfilename); - echo "$link_text"; -} - -function comments_rss($commentsrssfilename = 'wp-commentsrss2.php') { - global $id; - global $querystring_start, $querystring_equal, $querystring_separator; - - if ('' != get_settings('permalink_structure')) { - $url = trailingslashit(get_permalink()) . 'feed/'; - } else { - $url = get_settings('siteurl') . '/' . $commentsrssfilename.$querystring_start.'p'.$querystring_equal.$id; - } - return $url; -} - -function comment_author_rss() { - global $comment; - if (empty($comment->comment_author)) { - echo 'Anonymous'; - } else { - echo wp_specialchars(apply_filters('comment_author', $comment->comment_author)); - } -} - -function comment_text_rss() { - global $comment; - $comment_text = str_replace('', '', $comment->comment_content); - $comment_text = str_replace('', '', $comment_text); - $comment_text = apply_filters('comment_text', $comment_text); - $comment_text = strip_tags($comment_text); - $comment_text = wp_specialchars($comment_text); - echo $comment_text; -} - -function comment_link_rss() { - global $comment; - echo get_permalink($comment->comment_post_ID).'#comments'; -} - -function permalink_comments_rss() { - global $comment; - echo get_permalink($comment->comment_post_ID); -} - -function trackback_url($display = true) { - global $id; - $tb_url = get_settings('siteurl') . '/wp-trackback.php/' . $id; - - if ('' != get_settings('permalink_structure')) { - $tb_url = trailingslashit(get_permalink()) . 'trackback/'; - } - - if ($display) { - echo $tb_url; - } else { - return $tb_url; - } -} - - -function trackback_rdf($timezone = 0) { - global $id; - if (!stristr($_SERVER['HTTP_USER_AGENT'], 'W3C_Validator')) { - echo ' - \n"; - echo ''; - } -} - -function comments_open() { - global $post; - if ('open' == $post->comment_status) return true; - else return false; -} - -function pings_open() { - global $post; - if ('open' == $post->ping_status) return true; - else return false; -} - -?> \ No newline at end of file diff --git a/wp-includes/vars.php b/wp-includes/vars.php index eacbc84935..451ef56a22 100644 --- a/wp-includes/vars.php +++ b/wp-includes/vars.php @@ -94,7 +94,7 @@ $wp_gecko_correction['in'] = array( '/\‘/', '/\’/', '/\“/', '/\”/', '/\•/', '/\–/', '/\—/', '/\Ω/', '/\β/', '/\γ/', '/\θ/', '/\λ/', - '/\π/', '/\′/', '/\″/', '/\/', + '/\π/', '/\′/', '/\″/', '/\/', '/\€/', '/\ /' ); $wp_gecko_correction['out'] = array( @@ -193,4 +193,40 @@ add_filter('the_content', 'wptexturize'); add_filter('the_excerpt', 'wptexturize'); add_filter('bloginfo', 'wptexturize'); +// Comments, trackbacks, pingbacks +add_filter('pre_comment_author_name', 'strip_tags'); +add_filter('pre_comment_author_name', 'trim'); +add_filter('pre_comment_author_name', 'wp_specialchars', 30); + +add_filter('pre_comment_author_email', 'trim'); +add_filter('pre_comment_author_email', 'sanitize_email'); + +add_filter('pre_comment_author_url', 'strip_tags'); +add_filter('pre_comment_author_url', 'trim'); +add_filter('pre_comment_author_url', 'clean_url'); + +add_filter('pre_comment_content', 'wp_filter_kses'); +add_filter('pre_comment_content', 'format_to_post'); +add_filter('pre_comment_content', 'balanceTags', 30); + +// Default filters for these functions +add_filter('comment_author', 'wptexturize'); +add_filter('comment_author', 'convert_chars'); + +add_filter('comment_email', 'antispambot'); + +add_filter('comment_url', 'clean_url'); + +add_filter('comment_text', 'convert_chars'); +add_filter('comment_text', 'make_clickable'); +add_filter('comment_text', 'wpautop', 30); +add_filter('comment_text', 'convert_smilies', 20); + +add_filter('comment_excerpt', 'convert_chars'); + +// Places to balance tags on input +add_filter('content_save_pre', 'balanceTags', 50); +add_filter('excerpt_save_pre', 'balanceTags', 50); +add_filter('comment_save_pre', 'balanceTags', 50); + ?> \ No newline at end of file diff --git a/wp-login.php b/wp-login.php index fbb563fc25..7083747da5 100644 --- a/wp-login.php +++ b/wp-login.php @@ -1,24 +1,5 @@ $v) { - if (is_array($v)) { - $array[$k] = add_magic_quotes($v); - } else { - $array[$k] = addslashes($v); - } - } - return $array; - } -} - -if (!get_magic_quotes_gpc()) { - $_GET = add_magic_quotes($_GET); - $_POST = add_magic_quotes($_POST); - $_COOKIE = add_magic_quotes($_COOKIE); -} +require( dirname(__FILE__) . '/wp-config.php' ); $wpvarstoreset = array('action'); diff --git a/wp-pass.php b/wp-pass.php index f560d36a1e..24b0160514 100644 --- a/wp-pass.php +++ b/wp-pass.php @@ -1,5 +1,5 @@ $v) { - if (is_array($v)) { - $array[$k] = add_magic_quotes($v); - } else { - $array[$k] = addslashes($v); - } - } - return $array; -} - -if (!get_magic_quotes_gpc()) { - $_GET = add_magic_quotes($_GET); - $_POST = add_magic_quotes($_POST); - $_COOKIE = add_magic_quotes($_COOKIE); -} - $wpvarstoreset = array('action'); for ($i=0; $i $v) { - if (is_array($v)) { - $array[$k] = add_magic_quotes($v); - } else { - $array[$k] = addslashes($v); - } - } - return $array; -} - -if (!get_magic_quotes_gpc()) { - $_GET = add_magic_quotes($_GET); - $_POST = add_magic_quotes($_POST); - $_COOKIE = add_magic_quotes($_COOKIE); -} - -if (empty($doing_trackback)) { - $doing_trackback = true; - require('wp-blog-header.php'); +if ( empty($doing_trackback) ) { + $doing_trackback = true; + require_once('wp-blog-header.php'); } function trackback_response($error = 0, $error_message = '') { @@ -41,31 +25,33 @@ function trackback_response($error = 0, $error_message = '') { // trackback is done by a POST $request_array = 'HTTP_POST_VARS'; + if (!$tb_id) { $tb_id = explode('/', $_SERVER['REQUEST_URI']); $tb_id = intval($tb_id[count($tb_id)-1]); } -$tb_url = $_POST['url']; -$title = $_POST['title']; -$excerpt = $_POST['excerpt']; + +$tb_url = $_POST['url']; +$title = $_POST['title']; +$excerpt = $_POST['excerpt']; $blog_name = $_POST['blog_name']; -$charset = $_POST['charset']; +$charset = $_POST['charset']; if ($charset) $charset = strtoupper( trim($charset) ); else $charset = 'auto'; -if ( function_exists('mb_convert_encoding') ) { - $title = mb_convert_encoding($title, get_settings('blog_charset'), $charset); - $excerpt = mb_convert_encoding($excerpt, get_settings('blog_charset'), $charset); +if ( function_exists('mb_convert_encoding') ) { // For international trackbacks + $title = mb_convert_encoding($title, get_settings('blog_charset'), $charset); + $excerpt = mb_convert_encoding($excerpt, get_settings('blog_charset'), $charset); $blog_name = mb_convert_encoding($blog_name, get_settings('blog_charset'), $charset); } if ( is_single() ) $tb_id = $posts[0]->ID; -if ( !$tb_id) +if ( !$tb_id ) trackback_response(1, 'I really need an ID for this to work.'); if (empty($title) && empty($tb_url) && empty($blog_name)) { @@ -79,15 +65,13 @@ if ( !empty($tb_url) && !empty($title) && !empty($tb_url) ) { $pingstatus = $wpdb->get_var("SELECT ping_status FROM $wpdb->posts WHERE ID = $tb_id"); - if ('closed' == $pingstatus) + if ('open' != $pingstatus) trackback_response(1, 'Sorry, trackbacks are closed for this item.'); $title = wp_specialchars( strip_tags( $title ) ); $title = (strlen($title) > 250) ? substr($title, 0, 250) . '...' : $title; $excerpt = strip_tags($excerpt); $excerpt = (strlen($excerpt) > 255) ? substr($excerpt, 0, 252) . '...' : $excerpt; - $blog_name = wp_specialchars($blog_name); - $blog_name = (strlen($blog_name) > 250) ? substr($blog_name, 0, 250) . '...' : $blog_name; $comment_post_ID = $tb_id; $comment_author = $blog_name; diff --git a/xmlrpc.php b/xmlrpc.php index 352b491c61..c10c70dc0d 100644 --- a/xmlrpc.php +++ b/xmlrpc.php @@ -1218,12 +1218,11 @@ class wp_xmlrpc_server extends IXR_Server { $original_pagelinkedfrom = $pagelinkedfrom; $pagelinkedfrom = addslashes($pagelinkedfrom); $original_title = $title; - $title = addslashes(strip_tags(trim($title))); - // Check if the entry allows pings - if( !check_comment($title, '', $pagelinkedfrom, $context, $user_ip, $user_agent) ) { - return new IXR_Error(49, 'Pingbacks not allowed on this entry.'); - } + $pingstatus = $wpdb->get_var("SELECT ping_status FROM $wpdb->posts WHERE ID = $tb_id"); + + if ('open' != $pingstatus) + trackback_response(1, 'Sorry, trackbacks are closed for this item.'); $comment_post_ID = $post_ID; $comment_author = $title; @@ -1234,10 +1233,7 @@ class wp_xmlrpc_server extends IXR_Server { $commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_url', 'comment_content', 'comment_type'); wp_new_comment($commentdata); - - $comment_ID = $wpdb->insert_id; - - do_action('pingback_post', $comment_ID); + do_action('pingback_post', $wpdb->insert_id); return "Pingback from $pagelinkedfrom to $pagelinkedto registered. Keep the web talking! :-)"; }