Server IP : 66.29.132.124 / Your IP : 3.15.239.207 Web Server : LiteSpeed System : Linux business141.web-hosting.com 4.18.0-553.lve.el8.x86_64 #1 SMP Mon May 27 15:27:34 UTC 2024 x86_64 User : wavevlvu ( 1524) PHP Version : 7.4.33 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : OFF | Pkexec : OFF Directory : /home/wavevlvu/diixadigital.com/wp-content/plugins/jetpack/modules/comments/ |
Upload File : |
<?php //phpcs:ignore WordPress.Files.FileName.InvalidClassFileName /** * Jetpack comments base file - where the code shared between WP.com Highlander and Jetpack Highlander is defined * * @package automattic/jetpack */ use Automattic\Jetpack\Image_CDN\Image_CDN_Core; /** * All the code shared between WP.com Highlander and Jetpack Highlander */ class Highlander_Comments_Base { /** * Constructor */ public function __construct() { $this->setup_globals(); $this->setup_actions(); $this->setup_filters(); } /** * Set any global variables or class variables * * @since 1.4 */ protected function setup_globals() {} /** * Setup actions for methods in this class * * @since 1.4 */ protected function setup_actions() { // Before a comment is posted. add_action( 'pre_comment_on_post', array( $this, 'allow_logged_out_user_to_comment_as_external' ) ); // After a comment is posted. add_action( 'comment_post', array( $this, 'set_comment_cookies' ) ); } /** * Setup filters for methods in this class * * @since 1.4 */ protected function setup_filters() { add_filter( 'comments_array', array( $this, 'comments_array' ) ); add_filter( 'preprocess_comment', array( $this, 'allow_logged_in_user_to_comment_as_guest' ), 0 ); } /** * Is this a Highlander POST request? * Optionally restrict to one or more credentials slug (facebook, ...) * * @param mixed ...$args Comments credentials slugs. * @return false|string false if it's not a Highlander POST request. The matching credentials slug if it is. */ public function is_highlander_comment_post( ...$args ) { // phpcs:disable WordPress.Security.NonceVerification.Missing -- Nonce verification should happen in Jetpack_Comments::pre_comment_on_post(). Internal ref for details: p1645643468937519/1645189749.180299-slack-C02HQGKMFJ8 if ( empty( $_POST['hc_post_as'] ) ) { return false; } $hc_post_as = wp_unslash( $_POST['hc_post_as'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized here by comparing against known values. // phpcs:enable WordPress.Security.NonceVerification.Missing if ( $args ) { foreach ( $args as $id_source ) { if ( $id_source === $hc_post_as ) { return $id_source; } } return false; } return is_string( $hc_post_as ) && in_array( $hc_post_as, $this->id_sources, true ) ? $hc_post_as : false; } /** * Signs an array of scalars with the self-hosted blog's Jetpack Token * * If parameter values are not scalars a WP_Error is returned, otherwise a keyed hash value is returned using the HMAC method. * * @param array $parameters Comment parameters. * @param string $key Key used for generating the HMAC variant of the message digest. * @return string HMAC */ public static function sign_remote_comment_parameters( $parameters, $key ) { unset( $parameters['sig'], // Don't sign the signature. $parameters['replytocom'] // This parameter is unsigned - it changes dynamically as the comment form moves from parent comment to parent comment. ); ksort( $parameters ); $signing = array(); foreach ( $parameters as $k => $v ) { if ( ! is_scalar( $v ) ) { return new WP_Error( 'invalid_input', __( 'Invalid request', 'jetpack' ), array( 'status' => 400 ) ); } $signing[] = "{$k}={$v}"; } return hash_hmac( 'sha1', implode( ':', $signing ), $key ); } /** * Adds comment author email and whether the comment is approved to the comments array * * After commenting as a guest while logged in, the user needs to see both: * ( user_id = blah AND comment_approved = 0 ) * and ( comment_author_email = blah AND comment_approved = 0 ) * Core only does the first since the user is logged in, so this adds the second to the comments array. * * @param array $comments All comment data. * @return array A modified array of comment data. */ public function comments_array( $comments ) { global $wpdb, $post; $commenter = $this->get_current_commenter(); if ( ! $commenter['user_id'] ) { return $comments; } if ( ! $commenter['comment_author'] ) { return $comments; } $in_moderation_comments = $wpdb->get_results( $wpdb->prepare( "SELECT * FROM `$wpdb->comments` WHERE `comment_post_ID` = %d AND `user_id` = 0 AND `comment_author` = %s AND `comment_author_email` = %s AND `comment_approved` = '0' ORDER BY `comment_date_gmt` /* Highlander_Comments_Base::comments_array() */", $post->ID, wp_specialchars_decode( $commenter['comment_author'], ENT_QUOTES ), $commenter['comment_author_email'] ) ); if ( ! $in_moderation_comments ) { return $comments; } // @todo ZOMG this is a bad idea $comments = array_merge( $comments, $in_moderation_comments ); usort( $comments, array( $this, 'sort_comments_by_comment_date_gmt' ) ); return $comments; } /** * Comment sort comparator: comment_date_gmt * * @since 1.4 * @param object $a The first comment to compare dates with. * @param object $b The second comment to compare dates with. * @return int */ public function sort_comments_by_comment_date_gmt( $a, $b ) { return $a->comment_date_gmt <=> $b->comment_date_gmt; } /** * Get the current commenter's information from their cookie * * @since 1.4 * @return array Commenters information from cookie */ protected function get_current_commenter() { // Defaults. $user_id = 0; $comment_author = ''; $comment_author_email = ''; $comment_author_url = ''; if ( isset( $_COOKIE[ 'comment_author_' . COOKIEHASH ] ) ) { $comment_author = sanitize_text_field( wp_unslash( $_COOKIE[ 'comment_author_' . COOKIEHASH ] ) ); } if ( isset( $_COOKIE[ 'comment_author_email_' . COOKIEHASH ] ) ) { $comment_author_email = sanitize_email( wp_unslash( $_COOKIE[ 'comment_author_email_' . COOKIEHASH ] ) ); } if ( isset( $_COOKIE[ 'comment_author_url_' . COOKIEHASH ] ) ) { $comment_author_url = esc_url_raw( wp_unslash( $_COOKIE[ 'comment_author_url_' . COOKIEHASH ] ) ); } if ( is_user_logged_in() ) { $user = wp_get_current_user(); $user_id = $user->ID; } return compact( 'comment_author', 'comment_author_email', 'comment_author_url', 'user_id' ); } /** * Allows a logged out user to leave a comment as a facebook/wp.com credentialed user. * Overrides WordPress' core comment_registration option to treat these commenters as "registered" (verified) users. * * @since 1.4 */ public function allow_logged_out_user_to_comment_as_external() { // phpcs:ignore WordPress.WP.CapitalPDangit.MisspelledInText if ( ! $this->is_highlander_comment_post( 'facebook', 'wordpress' ) ) { return; } add_filter( 'pre_option_comment_registration', '__return_zero' ); add_filter( 'pre_option_require_name_email', '__return_zero' ); } /** * Allow a logged in user to post as a guest, or FB credentialed request. * Bypasses WordPress' core overrides that force a logged in user to comment as that user. * Respects comment_registration option. * * @since 1.4 * @param array $comment_data All data for a specific comment. * @return array Modified comment data, or an error if the required fields or a valid email address are not entered. */ public function allow_logged_in_user_to_comment_as_guest( $comment_data ) { // Bail if user registration is allowed. if ( get_option( 'comment_registration' ) ) { return $comment_data; } // Bail if user is not logged in or not a post request. if ( ! isset( $_SERVER['REQUEST_METHOD'] ) || 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) || ! is_user_logged_in() ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- simple comparison return $comment_data; } // Bail if this is not a guest or external service credentialed request. if ( ! $this->is_highlander_comment_post( 'guest', 'facebook' ) ) { return $comment_data; } $user = wp_get_current_user(); foreach ( array( 'comment_author' => 'display_name', 'comment_author_email' => 'user_email', 'comment_author_url' => 'user_url', ) as $comment_field => $user_field ) { if ( addslashes( $user->$user_field ) !== $comment_data[ $comment_field ] ) { return $comment_data; // some other plugin already did something funky. } } // phpcs:disable WordPress.Security.NonceVerification.Missing -- Nonce verification should happen in Jetpack_Comments::pre_comment_on_post() // phpcs:disable WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitization too if ( get_option( 'require_name_email' ) ) { if ( isset( $_POST['email'] ) && 6 > strlen( wp_unslash( $_POST['email'] ) ) || empty( $_POST['author'] ) ) { wp_die( esc_html__( 'Error: please fill the required fields (name, email).', 'jetpack' ), 400 ); } elseif ( ! isset( $_POST['email'] ) || ! is_email( wp_unslash( $_POST['email'] ) ) ) { wp_die( esc_html__( 'Error: please enter a valid email address.', 'jetpack' ), 400 ); } } $author_change = false; foreach ( array( 'comment_author' => 'author', 'comment_author_email' => 'email', 'comment_author_url' => 'url', ) as $comment_field => $post_field ) { if ( ( ! isset( $_POST[ $post_field ] ) || $comment_data[ $comment_field ] !== $_POST[ $post_field ] ) && 'url' !== $post_field ) { $author_change = true; } $comment_data[ $comment_field ] = isset( $_POST[ $post_field ] ) ? wp_unslash( $_POST[ $post_field ] ) : null; } // phpcs:enable WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized // Mark as guest comment if name or email were changed. if ( $author_change ) { $comment_data['user_ID'] = 0; $comment_data['user_id'] = $comment_data['user_ID']; } return $comment_data; } /** * Set the comment cookies or bail if comment is invalid * * @since 1.4 * @param int $comment_id The comment ID. */ public function set_comment_cookies( $comment_id ) { // Get comment and bail if it's invalid somehow. $comment = get_comment( $comment_id ); if ( empty( $comment ) || is_wp_error( $comment ) ) { return; } $id_source = $this->is_highlander_comment_post(); if ( empty( $id_source ) ) { return; } // Set comment author cookies. // We don't set the cookies if they are logged in with WordPress.com because they already have a cookie set. // phpcs:ignore WordPress.WP.CapitalPDangit if ( 'wordpress' !== $id_source ) { // phpcs:disable WordPress.Security.NonceVerification -- Nonce verification should happen in Jetpack_Comments::pre_comment_on_post(). $is_consenting_to_cookies = ( isset( $_POST['wp-comment-cookies-consent'] ) ); $cookie_options = array( 'expires' => time() + apply_filters( 'comment_cookie_lifetime', YEAR_IN_SECONDS ), 'path' => COOKIEPATH, 'domain' => COOKIE_DOMAIN, 'secure' => is_ssl(), 'httponly' => true, ); // If there is no consent, remove any cookies that may have been set. if ( ( 'guest' === $id_source ) && ! $is_consenting_to_cookies ) { $cookie_options['expires'] = time() - YEAR_IN_SECONDS; } // Set samesite to None if the request is from Jetpack iframe. // This is needed because it is considered third party. if ( isset( $_REQUEST['for'] ) && 'jetpack' === $_REQUEST['for'] ) { $cookie_options['samesite'] = 'None'; } // phpcs:enable WordPress.Security.NonceVerification // phpcs:disable Jetpack.Functions.SetCookie.MissingTrueHTTPOnly isset( $comment->comment_author ) ? setcookie( 'comment_author_' . COOKIEHASH, $comment->comment_author, $cookie_options ) : null; isset( $comment->comment_author_email ) ? setcookie( 'comment_author_email_' . COOKIEHASH, $comment->comment_author_email, $cookie_options ) : null; isset( $comment->comment_author_url ) ? setcookie( 'comment_author_url_' . COOKIEHASH, esc_url( $comment->comment_author_url ), $cookie_options ) : null; // phpcs:enable Jetpack.Functions.SetCookie.MissingTrueHTTPOnly } } /** * Get an avatar from Photon * * @since 1.4 * @param string $url The avatar URL. * @param int $size The avatar size. * @return string */ protected function photon_avatar( $url, $size ) { $size = (int) $size; return Image_CDN_Core::cdn_url( $url, array( 'resize' => "$size,$size" ) ); } }