joepie91
/
box
49
10
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

Add blog comments and CSRF protection

Browse Source
develop
Sven Slootweg 12 years ago
parent 70d81e1b78
commit 061c32ac8b
7 changed files with 289 additions and 4 deletions
Show Stats Download Patch File Download Diff File

4
public_html/classes/blogcomment.php
Unescape Escape View File

@ -21,7 +21,6 @@ class BlogComment extends CPHPDatabaseRecordClass
public $prototype = array( public $prototype = array(
'string' => array( 'string' => array(
'Body' => "Body",
'Name' => "Name", 'Name' => "Name",
'EmailAddress' => "EmailAddress" 'EmailAddress' => "EmailAddress"
), ),
@ -37,6 +36,9 @@ class BlogComment extends CPHPDatabaseRecordClass
"Visible" => "Visible", "Visible" => "Visible",
"IsGuestPost" => "GuestPost" "IsGuestPost" => "GuestPost"
), ),
'simplehtml' => array(
'Body' => "Body",
),
'user' => array( 'user' => array(
"Author" => "UserId" "Author" => "UserId"
), ),

78
public_html/modules/blog/comment.php
Unescape Escape View File

@ -0,0 +1,78 @@
<?php
/*
* Box is more free software. It is licensed under the WTFPL, which
* allows you to do pretty much anything with it, without having to
* ask permission. Commercial use is allowed, and no attribution is
* required. We do politely request that you share your modifications
* to benefit other developers, but you are under no enforced
* obligation to do so :)
*
* Please read the accompanying LICENSE document for the full WTFPL
* licensing text.
*/
if(!isset($_APP)) { die("Unauthorized."); }
try
{
$sBlogPost = BlogPost::CreateFromQuery("SELECT * FROM blog_posts WHERE `Slug` = :Slug", array(":Slug" => $router->uParameters[1]), 60, true);
}
catch (NotFoundException $e)
{
throw new RouterException("No such blog post exists.");
}
$sErrors = array();
if(empty($sCurrentUser) && (empty($_POST['name']) && empty($_POST['email'])))
{
$sErrors[] = "You did not enter a valid name and/or e-mail address.";
}
if(empty($sCurrentUser) && !User::CheckIfEmailValid($_POST['email']))
{
$sErrors[] = "The e-mail address you entered is invalid.";
}
if(empty($_POST['body']))
{
$sErrors[] = "You can't post an empty comment!";
}
if(empty($sErrors))
{
$sBlogComment = new BlogComment(0);
$sBlogComment->uPostId = $sBlogPost->sId;
$sBlogComment->uBody = $_POST['body'];
$sBlogComment->uPostedDate = time();
$sBlogComment->uVisible = true;
if(!empty($sCurrentUser))
{
$sBlogComment->uIsGuestPost = false;
$sBlogComment->uName = "";
$sBlogComment->uEmailAddress = "";
$sBlogComment->uAuthorId = $sCurrentUser->sId;
}
else
{
$sBlogComment->uIsGuestPost = true;
$sBlogComment->uName = $_POST['name'];
$sBlogComment->uEmailAddress = $_POST['email'];
$sBlogComment->uAuthorId = 0;
}
$sBlogComment->InsertIntoDatabase();
redirect("/blog/{$sBlogPost->sSlug}/#comment_{$sBlogComment->sId}");
}
else
{
foreach($sErrors as $sError)
{
flash_error($sError);
}
redirect("/blog/{$sBlogPost->sSlug}/");
}

68
public_html/modules/blog/post.php
Unescape Escape View File

@ -0,0 +1,68 @@
<?php
/*
* Box is more free software. It is licensed under the WTFPL, which
* allows you to do pretty much anything with it, without having to
* ask permission. Commercial use is allowed, and no attribution is
* required. We do politely request that you share your modifications
* to benefit other developers, but you are under no enforced
* obligation to do so :)
*
* Please read the accompanying LICENSE document for the full WTFPL
* licensing text.
*/
if(!isset($_APP)) { die("Unauthorized."); }
try
{
$sBlogPost = BlogPost::CreateFromQuery("SELECT * FROM blog_posts WHERE `Slug` = :Slug", array(":Slug" => $router->uParameters[1]), 60, true);
}
catch (NotFoundException $e)
{
throw new RouterException("No such blog post exists.");
}
try
{
$result = BlogComment::CreateFromQuery("SELECT * FROM blog_comments WHERE `PostId` = :PostId AND `Visible` = 1 ORDER BY `Posted` ASC", array(":PostId" => $sBlogPost->sId));
}
catch (NotFoundException $e)
{
$result = array();
}
$sComments = array();
foreach($result as $sComment)
{
if($sComment->sIsGuestPost)
{
$sAuthorName = $sComment->sName;
$sEmailAddress = $sComment->sEmailAddress;
}
else
{
$sAuthorName = $sComment->sAuthor->sUsername;
$sEmailAddress = $sComment->sAuthor->sEmailAddress;
}
$sComments[] = array(
"author" => $sAuthorName,
"relative-date" => time_ago($sComment->sPostedDate, $locale),
"body" => Markdown($sComment->sBody),
"gravatar" => "https://secure.gravatar.com/avatar/" . md5(strtolower(trim($sEmailAddress))) . ".jpg?d=retro&s=40",
"id" => $sComment->sId
);
}
$sPageTitle = $sBlogPost->sTitle;
$sPageContents = NewTemplater::Render("blog/post", $locale->strings, array(
"title" => $sBlogPost->sTitle,
"body" => Markdown($sBlogPost->sBody),
"author" => $sBlogPost->sAuthor->sUsername,
"relative-date" => time_ago($sBlogPost->sPostedDate, $locale),
"thumbnail" => $sBlogPost->sThumbnail,
"tags" => "test1, test2, test3",
"comments" => $sComments,
"slug" => $sBlogPost->sSlug
));

2
public_html/modules/forums/thread.php
Unescape Escape View File

@ -51,7 +51,7 @@ foreach($result as $sForumPost)
"body" => filter_html(Markdown($sForumPost->uBody)), "body" => filter_html(Markdown($sForumPost->uBody)),
"date" => time_ago($sForumPost->sPostedDate, $locale), "date" => time_ago($sForumPost->sPostedDate, $locale),
"date-full" => local_from_unix($sForumPost->sPostedDate, $locale->datetime_long), "date-full" => local_from_unix($sForumPost->sPostedDate, $locale->datetime_long),
"self" => ($sForumPost->sAuthorId == $sCurrentUser->sId), "self" => (!empty($sCurrentUser) && $sForumPost->sAuthorId == $sCurrentUser->sId),
"gravatar" => "https://secure.gravatar.com/avatar/" . md5(strtolower(trim($sForumPost->sAuthor->sEmailAddress))) . ".jpg?d=retro&s=40", "gravatar" => "https://secure.gravatar.com/avatar/" . md5(strtolower(trim($sForumPost->sAuthor->sEmailAddress))) . ".jpg?d=retro&s=40",
"signature" => filter_html(Markdown($sForumPost->sAuthor->uSignature)), "signature" => filter_html(Markdown($sForumPost->sAuthor->uSignature)),
"permalink" => $sForumPost->GetPermalink() "permalink" => $sForumPost->GetPermalink()

20
public_html/rewrite.php
Unescape Escape View File

@ -14,6 +14,18 @@
$_APP = true; $_APP = true;
require("include/base.php"); require("include/base.php");
if(strtolower($_SERVER["REQUEST_METHOD"]) == "post")
{
try
{
CSRF::VerifyToken();
}
catch (CsrfException $e)
{
die();
}
}
$sPageTitle = ""; $sPageTitle = "";
$sPageContents = ""; $sPageContents = "";
@ -36,6 +48,14 @@ $router->routes = array(
"target" => "modules/blog/home.php", "target" => "modules/blog/home.php",
"_section" => "Blog" "_section" => "Blog"
), ),
"^/blog/([a-z0-9-]+)$" => array(
"target" => "modules/blog/post.php",
"_section" => "Blog"
),
"^/blog/([a-z0-9-]+)/comment$" => array(
"target" => "modules/blog/comment.php",
"_section" => "Blog"
),
"^/login$" => array( "^/login$" => array(
"target" => "modules/account/login.php", "target" => "modules/account/login.php",
"_section" => "Account" "_section" => "Account"

65
public_html/static/css/style.css
Unescape Escape View File

@ -424,14 +424,14 @@ a.user
.post .body h5 { font-size: 16px; } .post .body h5 { font-size: 16px; }
.post .body h6 { font-size: 14px; } .post .body h6 { font-size: 14px; }
.post .body blockquote .post .body blockquote, .comment blockquote
{ {
padding: 7px 0px 7px 9px; padding: 7px 0px 7px 9px;
margin: 9px 0px 9px 6px; margin: 9px 0px 9px 6px;
border-left: 3px solid #80B380; border-left: 3px solid #80B380;
} }
.post .body blockquote p .post .body blockquote p, .comment blockquote p
{ {
margin: 0px; margin: 0px;
} }
@ -558,3 +558,64 @@ button.preview
{ {
margin-right: 18px; margin-right: 18px;
} }
.comment
{
border-bottom: 1px solid #D6D6D6;
padding: 7px 6px 7px 65px;
}
.comment .gravatar
{
float: left;
border: 1px solid silver;
padding: 1px;
margin: 7px 6px;
margin-left: -57px;
}
.comment .metadata
{
padding: 6px 0px 4px 0px;
}
.comment .metadata .author
{
font-weight: bold;
}
.comment .metadata .date
{
color: #7D7D7D;
margin-left: 10px;
font-size: 15px;
}
.comment p
{
margin: 8px 0px;
font-size: 15px;
}
.comments h2
{
margin: 9px 0px 0px 0px;
font-size: 21px;
}
.comments form
{
margin-top: 9px;
}
.comments textarea.body
{
height: 140px;
margin-top: 2px;
}
.comments label
{
font-size: 17px;
margin-top: 8px;
}

56
public_html/templates/blog/post.tpl
Unescape Escape View File

@ -0,0 +1,56 @@
<div class="entry">
<h1>{%?title}</h1>
<img src="{%?thumbnail}">
<div class="metadata">
<span class="date">{%?relative-date}</span>, by
<span class="author">{%?author}</span>
<span class="tags">Tags: {%?tags}</span>
</div>
{%?body}
</div>
<div class="comments">
<h2>Comments</h2>
{%if isempty|comments == true}
No comments have been posted yet.
{%else}
{%foreach comment in comments}
<div class="comment">
<a name="comment_{%?comment[id]}"></a>
<img src="{%?comment[gravatar]}" class="gravatar">
<div class="metadata">
<span class="author">{%?comment[author]}</span>
<span class="date">{%?comment[relative-date]}</span>
</div>
{%?comment[body]}
</div>
{%/foreach}
{%/if}
<h2>Post a new comment</h2>
<div class="commentform">
<form method="post" action="/blog/{%?slug}/comment">
{%if logged-in == false}
<label>Name</label>
<input type="text" name="name">
<label>E-mail address</label>
<input type="text" name="email">
<div class="clear"></div>
{%/if}
<div class="field">
<textarea class="body" name="body"></textarea>
</div>
<div class="subtext">
You can use <a href="http://static.squarespace.com/static/50060af484ae2a1f638413cb/5025cecce4b0922760c3c438/5025cecce4b0922760c3c43a/1304275182573/">Markdown</a>.
</div>
<button class="submit" type="submit" name="submit">Post comment</button>
<button class="submit preview" type="submit" name="submit">Preview</button>
<div class="clear"></div>
</form>
</div>
</div>
Write Preview
Loading…
Cancel
Save