X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/ff81ee6e8304a1982a3ec4f5b134764a29d502cf..022dfbbbe3215917d84708eb09acca93b21ae9e0:/wp-includes/comment-functions.php

diff --git a/wp-includes/comment-functions.php b/wp-includes/comment-functions.php
index eed5a611..3f2ab8df 100644
--- a/wp-includes/comment-functions.php
+++ b/wp-includes/comment-functions.php
@@ -2,30 +2,23 @@
 
 // Template functions
 
+function wp_comment_form_unfiltered_html_nonce() {
+	global $post;
+	if ( current_user_can('unfiltered_html') )
+		wp_nonce_field('unfiltered-html-comment_' . $post->ID, '_wp_unfiltered_html_comment', false);
+}
+
 function comments_template( $file = '/comments.php' ) {
 	global $wp_query, $withcomments, $post, $wpdb, $id, $comment, $user_login, $user_ID, $user_identity;
 
-	if ( is_single() || is_page() || $withcomments ) :
-		$req = get_settings('require_name_email');
-		$comment_author = '';
-		if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) {
-			$comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]);
-			$comment_author = stripslashes($comment_author);
-			$comment_author = wp_specialchars($comment_author, true);
-		}
-		$comment_author_email = '';
-		if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) {
-			$comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]);
-			$comment_author_email = stripslashes($comment_author_email);
-			$comment_author_email = wp_specialchars($comment_author_email, true);		
-		}
-		$comment_author_url = '';
-		if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) {
-			$comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
-			$comment_author_url = stripslashes($comment_author_url);
-			$comment_author_url = wp_specialchars($comment_author_url, true);		
-		}
+	if ( ! (is_single() || is_page() || $withcomments) )
+		return;
+
+	$req = get_settings('require_name_email');
+	$commenter = wp_get_current_commenter();
+	extract($commenter);
 
+	// TODO: Use API instead of SELECTs.
 	if ( empty($comment_author) ) {
 		$comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND comment_approved = '1' ORDER BY comment_date");
 	} else {
@@ -34,16 +27,12 @@ function comments_template( $file = '/comments.php' ) {
 		$comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND ( comment_approved = '1' OR ( comment_author = '$author_db' AND comment_author_email = '$email_db' AND comment_approved = '0' ) ) ORDER BY comment_date");
 	}
 
-	get_currentuserinfo();
-
 	define('COMMENTS_TEMPLATE', true);
 	$include = apply_filters('comments_template', TEMPLATEPATH . $file );
 	if ( file_exists( $include ) )
 		require( $include );
 	else
 		require( ABSPATH . 'wp-content/themes/default/comments.php');
-
-	endif;
 }
 
 function wp_new_comment( $commentdata ) {
@@ -101,7 +90,7 @@ function wp_insert_comment($commentdata) {
 	('$comment_post_ID', '$comment_author', '$comment_author_email', '$comment_author_url', '$comment_author_IP', '$comment_date', '$comment_date_gmt', '$comment_content', '$comment_approved', '$comment_agent', '$comment_type', '$comment_parent', '$user_id')
 	");
 
-	$id = $wpdb->insert_id;
+	$id = (int) $wpdb->insert_id;
 
 	if ( $comment_approved == 1) {
 		$count = $wpdb->get_var("SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND comment_approved = '1'");
@@ -126,8 +115,6 @@ function wp_allow_comment($commentdata) {
 	global $wpdb;
 	extract($commentdata);
 
-	$comment_user_domain = apply_filters('pre_comment_user_domain', gethostbyaddr($comment_author_IP) );
-
 	// Simple duplicate check
 	$dupe = "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND ( comment_author = '$comment_author' ";
 	if ( $comment_author_email )
@@ -185,6 +172,8 @@ function wp_update_comment($commentarr) {
 	// Merge old and new fields with new fields overwriting old ones.
 	$commentarr = array_merge($comment, $commentarr);
 
+	$commentarr = wp_filter_comment( $commentarr );
+
 	// Now extract the merged array.
 	extract($commentarr);
 
@@ -221,28 +210,21 @@ function wp_delete_comment($comment_id) {
 		return false;
 
 	$post_id = $comment->comment_post_ID;
-	if ( $post_id && $comment->comment_approved == 1 )
-		$wpdb->query( "UPDATE $wpdb->posts SET comment_count = comment_count - 1 WHERE ID = '$post_id'" );
+	if ( $post_id && $comment->comment_approved == 1 ) {
+		$count = $wpdb->get_var("SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = '$post_id' AND comment_approved = '1'");
+		$wpdb->query( "UPDATE $wpdb->posts SET comment_count = $count WHERE ID = '$post_id'" );
+	}
 
 	do_action('wp_set_comment_status', $comment_id, 'delete');
 	return true;
 }
 
-function clean_url( $url ) {
-	if ('' == $url) return $url;
-	$url = preg_replace('|[^a-z0-9-~+_.?#=&;,/:]|i', '', $url);
-	$url = str_replace(';//', '://', $url);
-	$url = (!strstr($url, '://')) ? 'http://'.$url : $url;
-	$url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url);
-	return $url;
-}
-
 function get_comments_number( $post_id = 0 ) {
 	global $wpdb, $comment_count_cache, $id;
 	$post_id = (int) $post_id;
 
 	if ( !$post_id )
-		$post_id = $id;
+		$post_id = (int) $id;
 
 	if ( !isset($comment_count_cache[$post_id]) )
 		$comment_count_cache[$id] = $wpdb->get_var("SELECT comment_count FROM $wpdb->posts WHERE ID = '$post_id'");
@@ -328,7 +310,8 @@ function comments_popup_link($zero='No Comments', $one='1 Comment', $more='% Com
 		if (!empty($CSSclass)) {
 			echo ' class="'.$CSSclass.'"';
 		}
-		echo ' title="' . sprintf( __('Comment on %s'), $post->post_title ) .'">';
+		$title = attribute_escape(apply_filters('the_title', get_the_title()));
+		echo ' title="' . sprintf( __('Comment on %s'), $title ) .'">';
 		comments_number($zero, $one, $more, $number);
 		echo '</a>';
 	}
@@ -845,7 +828,7 @@ function check_comment($author, $email, $url, $comment, $user_ip, $user_agent, $
 
 	if (1 == get_settings('comment_moderation')) return false; // If moderation is set to manual
 
-	if ( (count(explode('http:', $comment)) - 1) >= get_settings('comment_max_links') )
+	if ( preg_match_all("|(href\t*?=\t*?['\"]?)?(https?:)?//|i", $comment, $out) >= get_option('comment_max_links') )
 		return false; // Check # of external links
 
 	$mod_keys = trim( get_settings('moderation_keys') );
@@ -900,7 +883,50 @@ function check_comment($author, $email, $url, $comment, $user_ip, $user_agent, $
 
 function get_approved_comments($post_id) {
 	global $wpdb;
+
+	$post_id = (int) $post_id;
 	return $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = $post_id AND comment_approved = '1' ORDER BY comment_date");
 }
 
+function sanitize_comment_cookies() {
+	if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) {
+		$comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]);
+		$comment_author = stripslashes($comment_author);
+		$comment_author = attribute_escape($comment_author);
+		$_COOKIE['comment_author_'.COOKIEHASH] = $comment_author;
+	}
+
+	if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) {
+		$comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]);
+		$comment_author_email = stripslashes($comment_author_email);
+		$comment_author_email = attribute_escape($comment_author_email);	
+		$_COOKIE['comment_author_email_'.COOKIEHASH] = $comment_author_email;
+	}
+
+	if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) {
+		$comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
+		$comment_author_url = stripslashes($comment_author_url);
+		$comment_author_url = attribute_escape($comment_author_url);
+		$_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url;
+	}
+}
+
+function wp_get_current_commenter() {
+	// Cookies should already be sanitized.
+
+	$comment_author = '';
+	if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) )
+		$comment_author = $_COOKIE['comment_author_'.COOKIEHASH];
+
+	$comment_author_email = '';
+	if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) )
+		$comment_author_email = $_COOKIE['comment_author_email_'.COOKIEHASH];
+
+	$comment_author_url = '';
+	if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) )
+		$comment_author_url = $_COOKIE['comment_author_url_'.COOKIEHASH];
+
+	return compact('comment_author', 'comment_author_email', 'comment_author_url');
+}
+
 ?>