1072 lines
34 KiB
PHP
1072 lines
34 KiB
PHP
<?php // phpcs:ignore WordPress.Files.FileName.InvalidClassFileName
|
||
/**
|
||
* Module: Comments
|
||
*
|
||
* @package automattic/jetpack
|
||
*/
|
||
|
||
require __DIR__ . '/base.php';
|
||
use Automattic\Jetpack\Connection\Tokens;
|
||
use Automattic\Jetpack\Status\Host;
|
||
|
||
/**
|
||
* Main Comments class
|
||
*
|
||
* @package automattic/jetpack
|
||
* @since 1.4
|
||
*/
|
||
class Jetpack_Comments extends Highlander_Comments_Base {
|
||
|
||
/** Variables *************************************************************/
|
||
|
||
/**
|
||
* Possible comment form sources - empty array as default
|
||
*
|
||
* @var array
|
||
*/
|
||
public $id_sources = array();
|
||
|
||
/**
|
||
* Remote comment URL - empty string as default
|
||
*
|
||
* @var string
|
||
*/
|
||
public $signed_url = '';
|
||
|
||
/**
|
||
* The default comment form color scheme - default is light
|
||
*
|
||
* @var string
|
||
* @see ::set_default_color_theme_based_on_theme_settings()
|
||
*/
|
||
public $default_color_scheme = 'light';
|
||
|
||
/** Methods ***************************************************************/
|
||
|
||
/**
|
||
* Initialize class
|
||
*/
|
||
public static function init() {
|
||
static $instance = false;
|
||
|
||
if ( ! $instance ) {
|
||
$instance = new Jetpack_Comments();
|
||
}
|
||
|
||
return $instance;
|
||
}
|
||
|
||
/**
|
||
* Main constructor for Comments
|
||
*
|
||
* @since 1.4
|
||
*/
|
||
public function __construct() {
|
||
parent::__construct();
|
||
|
||
// Comments is loaded.
|
||
|
||
/**
|
||
* Fires after the Jetpack_Comments object has been instantiated
|
||
*
|
||
* @module comments
|
||
*
|
||
* @since 1.4.0
|
||
*
|
||
* @param array $jetpack_comments_loaded First element in array of type Jetpack_Comments
|
||
*/
|
||
do_action_ref_array( 'jetpack_comments_loaded', array( $this ) );
|
||
add_action( 'after_setup_theme', array( $this, 'set_default_color_theme_based_on_theme_settings' ), 100 );
|
||
}
|
||
|
||
/**
|
||
* Set the default comments color theme based on theme settings
|
||
*/
|
||
public function set_default_color_theme_based_on_theme_settings() {
|
||
if ( function_exists( 'twentyeleven_get_theme_options' ) ) {
|
||
$theme_options = twentyeleven_get_theme_options();
|
||
$theme_color_scheme = isset( $theme_options['color_scheme'] ) ? $theme_options['color_scheme'] : 'transparent';
|
||
} else {
|
||
$theme_color_scheme = get_theme_mod( 'color_scheme', 'transparent' );
|
||
}
|
||
// Default for $theme_color_scheme is 'transparent' just so it doesn't match 'light' or 'dark'.
|
||
// The default for Jetpack's color scheme is still defined above as 'light'.
|
||
|
||
if ( false !== stripos( $theme_color_scheme, 'light' ) ) {
|
||
$this->default_color_scheme = 'light';
|
||
} elseif ( false !== stripos( $theme_color_scheme, 'dark' ) ) {
|
||
$this->default_color_scheme = 'dark';
|
||
}
|
||
}
|
||
|
||
/** Private Methods *******************************************************/
|
||
|
||
/**
|
||
* Set any global variables or class variables
|
||
*
|
||
* This is primarily defining the comment form sources.
|
||
*
|
||
* @since 1.4
|
||
*/
|
||
protected function setup_globals() {
|
||
parent::setup_globals();
|
||
|
||
// Sources.
|
||
$this->id_sources = array(
|
||
'guest',
|
||
'jetpack',
|
||
'wordpress',
|
||
'facebook',
|
||
);
|
||
}
|
||
|
||
/**
|
||
* Setup actions for methods in this class
|
||
*
|
||
* @since 1.4
|
||
*/
|
||
protected function setup_actions() {
|
||
parent::setup_actions();
|
||
|
||
// Selfishly remove everything from the existing comment form.
|
||
remove_all_actions( 'comment_form_before' );
|
||
|
||
// Selfishly add only our actions back to the comment form.
|
||
add_action( 'comment_form_before', array( $this, 'manage_post_cookie' ) );
|
||
add_action( 'comment_form_before', array( $this, 'comment_form_before' ) );
|
||
add_action( 'comment_form_after', array( $this, 'comment_form_after' ), 1 ); // Set very early since we remove everything outputed before our action.
|
||
|
||
// Before a comment is posted.
|
||
add_action( 'pre_comment_on_post', array( $this, 'pre_comment_on_post' ), 1 );
|
||
|
||
// After a comment is posted.
|
||
add_action( 'comment_post', array( $this, 'add_comment_meta' ) );
|
||
}
|
||
|
||
/**
|
||
* Setup filters for methods in this class
|
||
*
|
||
* @since 1.6.2
|
||
*/
|
||
protected function setup_filters() {
|
||
parent::setup_filters();
|
||
|
||
add_filter( 'comment_post_redirect', array( $this, 'capture_comment_post_redirect_to_reload_parent_frame' ), 100 );
|
||
add_filter( 'comment_duplicate_trigger', array( $this, 'capture_comment_duplicate_trigger' ), 100 );
|
||
add_filter( 'get_avatar', array( $this, 'get_avatar' ), 10, 4 );
|
||
// Fix comment reply link when `comment_registration` is required.
|
||
add_filter( 'comment_reply_link', array( $this, 'comment_reply_link' ), 10, 4 );
|
||
}
|
||
|
||
/**
|
||
* In order for comments to work properly for password-protected posts we need to set `wp-postpass` cookie to SameSite none.
|
||
*/
|
||
public function manage_post_cookie() {
|
||
$postpass_cookie_key = 'wp-postpass_' . COOKIEHASH;
|
||
|
||
if ( empty( $_COOKIE[ $postpass_cookie_key ] ) ) {
|
||
return;
|
||
}
|
||
|
||
$postpass_cookie_value = sanitize_text_field( wp_unslash( $_COOKIE[ $postpass_cookie_key ] ) );
|
||
|
||
if ( empty( $_COOKIE['verbum-wp-postpass'] ) || ( $_COOKIE['verbum-wp-postpass'] !== $postpass_cookie_value ) ) {
|
||
$expire = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );
|
||
|
||
jetpack_shim_setcookie(
|
||
$postpass_cookie_key,
|
||
$postpass_cookie_value,
|
||
array(
|
||
'expires' => $expire,
|
||
'samesite' => 'None',
|
||
'path' => '/',
|
||
'domain' => COOKIE_DOMAIN,
|
||
'secure' => is_ssl(),
|
||
)
|
||
);
|
||
|
||
jetpack_shim_setcookie(
|
||
'verbum-wp-postpass',
|
||
$postpass_cookie_value,
|
||
array(
|
||
'expires' => $expire,
|
||
'samesite' => 'None',
|
||
'path' => '/',
|
||
'domain' => COOKIE_DOMAIN,
|
||
'secure' => is_ssl(),
|
||
)
|
||
);
|
||
}
|
||
}
|
||
|
||
/**
|
||
* Get the comment avatar from Gravatar or Twitter/Facebook.
|
||
*
|
||
* Leaving the Twitter reference for legacy comments even though support is no longer offered.
|
||
*
|
||
* @since 1.4
|
||
*
|
||
* @param string $avatar Current avatar URL.
|
||
* @param string $comment Comment for the avatar.
|
||
* @param int $size Size of the avatar.
|
||
*
|
||
* @return string New avatar
|
||
*/
|
||
public function get_avatar( $avatar, $comment, $size ) {
|
||
if ( ! isset( $comment->comment_post_ID ) || ! isset( $comment->comment_ID ) ) {
|
||
// it's not a comment - bail.
|
||
return $avatar;
|
||
}
|
||
|
||
// Detect whether it's a Facebook avatar.
|
||
$foreign_avatar = get_comment_meta( $comment->comment_ID, 'hc_avatar', true );
|
||
$foreign_avatar_hostname = wp_parse_url( $foreign_avatar, PHP_URL_HOST );
|
||
if ( ! $foreign_avatar_hostname ||
|
||
! preg_match( '/\.?(graph\.facebook\.com|twimg\.com)$/', $foreign_avatar_hostname ) ) {
|
||
return $avatar;
|
||
}
|
||
|
||
// Return the Facebook or Twitter avatar.
|
||
return preg_replace( '#src=([\'"])[^\'"]+\\1#', 'src=\\1' . esc_url( set_url_scheme( $this->photon_avatar( $foreign_avatar, $size ), 'https' ) ) . '\\1', $avatar );
|
||
}
|
||
|
||
/**
|
||
* Set comment reply link.
|
||
* This is to fix the reply link when comment registration is required.
|
||
*
|
||
* @param string $reply_link The HTML markup for the comment reply link.
|
||
* @param array $args An array of arguments overriding the defaults.
|
||
* @param WP_Comment $comment The object of the comment being replied.
|
||
* @param WP_Post $post The WP_Post object.
|
||
*
|
||
* @return string New reply link.
|
||
*/
|
||
public function comment_reply_link( $reply_link, $args, $comment, $post ) {
|
||
// This is only necessary if comment_registration is required to post comments
|
||
if ( ! get_option( 'comment_registration' ) ) {
|
||
return $reply_link;
|
||
}
|
||
|
||
$respond_id = esc_attr( $args['respond_id'] );
|
||
$add_below = esc_attr( $args['add_below'] );
|
||
/* This is to accommodate some themes that add an SVG to the Reply link like twenty-seventeen. */
|
||
$reply_text = wp_kses(
|
||
$args['reply_text'],
|
||
array(
|
||
'svg' => array(
|
||
'class' => true,
|
||
'aria-hidden' => true,
|
||
'aria-labelledby' => true,
|
||
'role' => true,
|
||
'xmlns' => true,
|
||
'width' => true,
|
||
'height' => true,
|
||
'viewbox' => true,
|
||
),
|
||
'use' => array(
|
||
'href' => true,
|
||
'xlink:href' => true,
|
||
),
|
||
)
|
||
);
|
||
$before_link = wp_kses( $args['before'], wp_kses_allowed_html( 'post' ) );
|
||
$after_link = wp_kses( $args['after'], wp_kses_allowed_html( 'post' ) );
|
||
|
||
$reply_url = esc_url( add_query_arg( 'replytocom', $comment->comment_ID . '#' . $respond_id ) );
|
||
|
||
return <<<HTML
|
||
$before_link
|
||
<a class="comment-reply-link" href="$reply_url" onclick="return addComment.moveForm( '$add_below-$comment->comment_ID', '$comment->comment_ID', '$respond_id', '$post->ID' )">$reply_text</a>
|
||
$after_link
|
||
HTML;
|
||
}
|
||
|
||
/**
|
||
* Get the site's blog token.
|
||
* This can be used to bypass Comments entirely if Jetpack is not properly connected.
|
||
*
|
||
* @since 11.2
|
||
*
|
||
* @return bool|object False if not properly connected. Object with the blog token if connected.
|
||
*/
|
||
private function get_blog_token() {
|
||
$blog_token = ( new Tokens() )->get_access_token();
|
||
// If we have no token, bail.
|
||
if ( ! $blog_token || is_wp_error( $blog_token ) ) {
|
||
return false;
|
||
}
|
||
|
||
return $blog_token;
|
||
}
|
||
|
||
/** Output Methods ********************************************************/
|
||
|
||
/**
|
||
* Start capturing the core comment_form() output
|
||
*
|
||
* Comment form output will only be captured if comments are enabled - we return otherwise.
|
||
*
|
||
* @since 1.4
|
||
*/
|
||
public function comment_form_before() {
|
||
/**
|
||
* Filters the setting that determines if Jetpack comments should be enabled for
|
||
* the current post type.
|
||
*
|
||
* @module comments
|
||
*
|
||
* @since 3.8.1
|
||
*
|
||
* @param boolean $return Should comments be enabled?
|
||
*/
|
||
if ( ! apply_filters( 'jetpack_comment_form_enabled_for_' . get_post_type(), true ) ) {
|
||
return;
|
||
}
|
||
|
||
// If the Jetpack connection is not healthy, bail.
|
||
if ( ! $this->get_blog_token() ) {
|
||
return;
|
||
}
|
||
|
||
// Add some JS to the footer.
|
||
add_action( 'wp_footer', array( $this, 'watch_comment_parent' ), 100 );
|
||
|
||
ob_start();
|
||
}
|
||
|
||
/**
|
||
* Noop the default comment form output, get some options, and output our
|
||
* tricked out totally radical comment form.
|
||
*
|
||
* @since 1.4
|
||
*/
|
||
public function comment_form_after() {
|
||
/** This filter is documented in modules/comments/comments.php */
|
||
if ( ! apply_filters( 'jetpack_comment_form_enabled_for_' . get_post_type(), true ) ) {
|
||
return;
|
||
}
|
||
|
||
$blog_token = $this->get_blog_token();
|
||
// If the Jetpack connection is not healthy, bail.
|
||
if ( ! $blog_token ) {
|
||
return;
|
||
}
|
||
|
||
// Throw it all out and drop in our replacement.
|
||
ob_end_clean();
|
||
|
||
if ( in_array( 'subscriptions', Jetpack::get_active_modules(), true ) ) {
|
||
$stb_enabled = get_option( 'stb_enabled', 1 );
|
||
$stb_enabled = empty( $stb_enabled ) ? 0 : 1;
|
||
|
||
$stc_enabled = get_option( 'stc_enabled', 1 );
|
||
$stc_enabled = empty( $stc_enabled ) ? 0 : 1;
|
||
} else {
|
||
$stb_enabled = 0;
|
||
$stc_enabled = 0;
|
||
}
|
||
|
||
$params = array(
|
||
'blogid' => Jetpack_Options::get_option( 'id' ),
|
||
'postid' => get_the_ID(),
|
||
'comment_registration' => ( get_option( 'comment_registration' ) ? '1' : '0' ), // Need to explicitly send a '1' or a '0' for these.
|
||
'require_name_email' => ( get_option( 'require_name_email' ) ? '1' : '0' ),
|
||
'stc_enabled' => $stc_enabled,
|
||
'stb_enabled' => $stb_enabled,
|
||
'show_avatars' => ( get_option( 'show_avatars' ) ? '1' : '0' ),
|
||
'avatar_default' => get_option( 'avatar_default' ),
|
||
'greeting' => get_option( 'highlander_comment_form_prompt', __( 'Leave a Reply', 'jetpack' ) ),
|
||
'jetpack_comments_nonce' => wp_create_nonce( 'jetpack_comments_nonce-' . get_the_ID() ),
|
||
/**
|
||
* Changes the comment form prompt.
|
||
*
|
||
* @module comments
|
||
*
|
||
* @since 2.3.0
|
||
*
|
||
* @param string $var Default is "Leave a Reply to %s."
|
||
*/
|
||
'greeting_reply' => apply_filters(
|
||
'jetpack_comment_form_prompt_reply',
|
||
/* translators: %s is the displayed username of the post (or comment) author */
|
||
__( 'Leave a Reply to %s', 'jetpack' )
|
||
),
|
||
'color_scheme' => get_option( 'jetpack_comment_form_color_scheme', $this->default_color_scheme ),
|
||
'lang' => get_locale(),
|
||
'jetpack_version' => JETPACK__VERSION,
|
||
'iframe_unique_id' => wp_unique_id(),
|
||
);
|
||
|
||
// Extra parameters for logged in user.
|
||
if ( is_user_logged_in() ) {
|
||
$current_user = wp_get_current_user();
|
||
$params['hc_post_as'] = 'jetpack';
|
||
$params['hc_userid'] = $current_user->ID;
|
||
$params['hc_username'] = $current_user->display_name;
|
||
$params['hc_userurl'] = $current_user->user_url;
|
||
$params['hc_useremail'] = md5( strtolower( trim( $current_user->user_email ) ) );
|
||
if ( current_user_can( 'unfiltered_html' ) ) {
|
||
$params['_wp_unfiltered_html_comment'] = wp_create_nonce( 'unfiltered-html-comment_' . get_the_ID() );
|
||
}
|
||
} else {
|
||
$commenter = wp_get_current_commenter();
|
||
$params['show_cookie_consent'] = (int) has_action( 'set_comment_cookies', 'wp_set_comment_cookies' );
|
||
$params['has_cookie_consent'] = (int) ! empty( $commenter['comment_author_email'] );
|
||
// Jetpack_Memberships for logged out users only checks for the wp-jp-premium-content-session cookie
|
||
$params['is_current_user_subscribed'] = class_exists( '\Jetpack_Memberships' ) ? (int) Jetpack_Memberships::is_current_user_subscribed() : 0;
|
||
}
|
||
|
||
list( $token_key ) = explode( '.', $blog_token->secret, 2 );
|
||
// Prophylactic check: anything else should never happen.
|
||
if ( $token_key && $token_key !== $blog_token->secret ) {
|
||
// Is the token a Special Token (@see class.tokens.php)?
|
||
if ( preg_match( '/^;.\d+;\d+;$/', $token_key, $matches ) ) {
|
||
// The token key for a Special Token is public.
|
||
$params['token_key'] = $token_key;
|
||
} else {
|
||
/*
|
||
* The token key for a Normal Token is public but
|
||
* looks like sensitive data. Since there can only be
|
||
* one Normal Token per site, avoid concern by
|
||
* sending the magic "use the Normal Token" token key.
|
||
*/
|
||
$params['token_key'] = Tokens::MAGIC_NORMAL_TOKEN_KEY;
|
||
}
|
||
}
|
||
|
||
$signature = self::sign_remote_comment_parameters( $params, $blog_token->secret );
|
||
if ( is_wp_error( $signature ) ) {
|
||
$signature = 'error';
|
||
}
|
||
|
||
$params['sig'] = $signature;
|
||
$url_origin = 'https://jetpack.wordpress.com';
|
||
$url = "{$url_origin}/jetpack-comment/?" . http_build_query( $params );
|
||
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sniff misses the esc_url_raw.
|
||
$url = "{$url}#parent=" . rawurlencode( esc_url_raw( set_url_scheme( 'http://' . ( isset( $_SERVER['HTTP_HOST'] ) ? wp_unslash( $_SERVER['HTTP_HOST'] ) : '' ) . ( isset( $_SERVER['REQUEST_URI'] ) ? wp_unslash( $_SERVER['REQUEST_URI'] ) : '' ) ) ) );
|
||
$this->signed_url = $url;
|
||
$height = $params['comment_registration'] || is_user_logged_in() ? '315' : '430'; // Iframe can be shorter if we're not allowing guest commenting.
|
||
$transparent = ( 'transparent' === $params['color_scheme'] ) ? 'true' : 'false';
|
||
|
||
if ( isset( $_GET['replytocom'] ) ) { //phpcs:ignore WordPress.Security.NonceVerification.Recommended
|
||
$url .= '&replytocom=' . (int) $_GET['replytocom']; //phpcs:ignore WordPress.Security.NonceVerification.Recommended
|
||
}
|
||
|
||
/**
|
||
* Filter whether the comment title can be displayed.
|
||
*
|
||
* @module comments
|
||
*
|
||
* @since 4.7.0
|
||
*
|
||
* @param bool $show Can the comment be displayed? Default to true.
|
||
*/
|
||
$show_greeting = apply_filters( 'jetpack_comment_form_display_greeting', true );
|
||
|
||
/**
|
||
* Filter the comment title tag.
|
||
*
|
||
* @module comments
|
||
* @since 12.4
|
||
*
|
||
* @param string $comment_reply_title_tag The comment title tag. Default to h3.
|
||
*/
|
||
$comment_reply_title_tag = apply_filters( 'jetpack_comment_reply_title_tag', 'h3' );
|
||
|
||
// The actual iframe (loads comment form from Jetpack server).
|
||
|
||
$is_amp = class_exists( Jetpack_AMP_Support::class ) && Jetpack_AMP_Support::is_amp_request();
|
||
?>
|
||
|
||
<div id="respond" class="comment-respond">
|
||
<?php
|
||
if ( true === $show_greeting ) :
|
||
printf(
|
||
'<%1$s id="reply-title" class="comment-reply-title">',
|
||
esc_html( $comment_reply_title_tag )
|
||
);
|
||
|
||
comment_form_title(
|
||
esc_html( $params['greeting'] ),
|
||
esc_html( $params['greeting_reply'] )
|
||
);
|
||
echo '<small>';
|
||
cancel_comment_reply_link( esc_html__( 'Cancel reply', 'jetpack' ) );
|
||
echo '</small>';
|
||
|
||
printf(
|
||
'</%1$s>',
|
||
esc_html( $comment_reply_title_tag )
|
||
);
|
||
endif;
|
||
?>
|
||
<form id="commentform" class="comment-form">
|
||
<iframe
|
||
title="<?php esc_attr_e( 'Comment Form', 'jetpack' ); ?>"
|
||
src="<?php echo esc_url( $url ); ?>"
|
||
<?php if ( $is_amp ) : ?>
|
||
resizable
|
||
layout="fixed-height"
|
||
height="<?php echo esc_attr( $height ); ?>"
|
||
<?php else : ?>
|
||
name="jetpack_remote_comment"
|
||
style="width:100%; height: <?php echo esc_attr( $height ); ?>px; border:0;"
|
||
<?php endif; ?>
|
||
class="jetpack_remote_comment"
|
||
id="jetpack_remote_comment"
|
||
sandbox="allow-same-origin allow-top-navigation allow-scripts allow-forms allow-popups"
|
||
>
|
||
<?php if ( $is_amp ) : ?>
|
||
<button overflow><?php esc_html_e( 'Show more', 'jetpack' ); ?></button>
|
||
<?php endif; ?>
|
||
</iframe>
|
||
<?php if ( ! $is_amp ) : ?>
|
||
<!--[if !IE]><!-->
|
||
<script>
|
||
document.addEventListener('DOMContentLoaded', function () {
|
||
var commentForms = document.getElementsByClassName('jetpack_remote_comment');
|
||
for (var i = 0; i < commentForms.length; i++) {
|
||
commentForms[i].allowTransparency = <?php echo esc_html( $transparent ); ?>;
|
||
commentForms[i].scrolling = 'no';
|
||
}
|
||
});
|
||
</script>
|
||
<!--<![endif]-->
|
||
<?php endif; ?>
|
||
</form>
|
||
</div>
|
||
|
||
<?php // Below is required for comment reply JS to work. ?>
|
||
|
||
<input type="hidden" name="comment_parent" id="comment_parent" value="" />
|
||
|
||
<?php
|
||
}
|
||
|
||
/**
|
||
* Add some JS to wp_footer to watch for hierarchical reply parent change
|
||
*
|
||
* If AMP is enabled, we don't make any changes.
|
||
*
|
||
* @since 1.4
|
||
*/
|
||
public function watch_comment_parent() {
|
||
if ( class_exists( Jetpack_AMP_Support::class ) && Jetpack_AMP_Support::is_amp_request() ) {
|
||
// @todo Implement AMP support.
|
||
return;
|
||
}
|
||
?>
|
||
<script type="text/javascript">
|
||
(function () {
|
||
const iframe = document.getElementById( 'jetpack_remote_comment' );
|
||
<?php if ( get_option( 'thread_comments' ) && get_option( 'thread_comments_depth' ) ) : ?>
|
||
const watchReply = function() {
|
||
// Check addComment._Jetpack_moveForm to make sure we don't monkey-patch twice.
|
||
if ( 'undefined' !== typeof addComment && ! addComment._Jetpack_moveForm ) {
|
||
// Cache the Core function.
|
||
addComment._Jetpack_moveForm = addComment.moveForm;
|
||
const commentParent = document.getElementById( 'comment_parent' );
|
||
const cancel = document.getElementById( 'cancel-comment-reply-link' );
|
||
|
||
function tellFrameNewParent ( commentParentValue ) {
|
||
const url = new URL( iframe.src );
|
||
if ( commentParentValue ) {
|
||
url.searchParams.set( 'replytocom', commentParentValue )
|
||
} else {
|
||
url.searchParams.delete( 'replytocom' );
|
||
}
|
||
if( iframe.src !== url.href ) {
|
||
iframe.src = url.href;
|
||
}
|
||
};
|
||
|
||
cancel.addEventListener( 'click', function () {
|
||
tellFrameNewParent( false );
|
||
} );
|
||
|
||
addComment.moveForm = function ( _, parentId ) {
|
||
tellFrameNewParent( parentId );
|
||
return addComment._Jetpack_moveForm.apply( null, arguments );
|
||
};
|
||
}
|
||
}
|
||
document.addEventListener( 'DOMContentLoaded', watchReply );
|
||
// In WP 6.4+, the script is loaded asynchronously, so we need to wait for it to load before we monkey-patch the functions it introduces.
|
||
document.querySelector('#comment-reply-js')?.addEventListener( 'load', watchReply );
|
||
|
||
<?php endif; ?>
|
||
|
||
const commentIframes = document.getElementsByClassName('jetpack_remote_comment');
|
||
|
||
window.addEventListener('message', function(event) {
|
||
if (event.origin !== 'https://jetpack.wordpress.com') {
|
||
return;
|
||
}
|
||
|
||
if (!event?.data?.iframeUniqueId && !event?.data?.height) {
|
||
return;
|
||
}
|
||
|
||
const eventDataUniqueId = event.data.iframeUniqueId;
|
||
|
||
// Change height for the matching comment iframe
|
||
for (let i = 0; i < commentIframes.length; i++) {
|
||
const iframe = commentIframes[i];
|
||
const url = new URL(iframe.src);
|
||
const iframeUniqueIdParam = url.searchParams.get('iframe_unique_id');
|
||
if (iframeUniqueIdParam == event.data.iframeUniqueId) {
|
||
iframe.style.height = event.data.height + 'px';
|
||
return;
|
||
}
|
||
}
|
||
});
|
||
})();
|
||
</script>
|
||
<?php
|
||
}
|
||
|
||
/**
|
||
* Verify the hash included in remote comments.
|
||
*
|
||
* If the Jetpack token is missing we return nothing,
|
||
* and if the token is unknown or invalid, or comments not allowed, an error is returned.
|
||
*
|
||
* @since 1.4
|
||
*/
|
||
public function pre_comment_on_post() {
|
||
$post_array = stripslashes_deep( $_POST );
|
||
|
||
// Bail if missing the Jetpack token.
|
||
if ( ! isset( $post_array['sig'] ) || ! isset( $post_array['token_key'] ) ) {
|
||
unset( $_POST['hc_post_as'] );
|
||
return;
|
||
}
|
||
|
||
if ( empty( $post_array['jetpack_comments_nonce'] ) || ! wp_verify_nonce( $post_array['jetpack_comments_nonce'], "jetpack_comments_nonce-{$post_array['comment_post_ID']}" ) ) {
|
||
if ( ! isset( $_GET['only_once'] ) ) {
|
||
self::retry_submit_comment_form_locally();
|
||
}
|
||
wp_die( esc_html__( 'Nonce verification failed.', 'jetpack' ), 400 );
|
||
}
|
||
|
||
if ( str_contains( $post_array['hc_avatar'], '.gravatar.com' ) ) {
|
||
$post_array['hc_avatar'] = htmlentities( $post_array['hc_avatar'], ENT_COMPAT );
|
||
}
|
||
|
||
$blog_token = ( new Tokens() )->get_access_token( false, $post_array['token_key'] );
|
||
if ( ! $blog_token || is_wp_error( $blog_token ) ) {
|
||
wp_die( esc_html__( 'Unknown security token.', 'jetpack' ), 400 );
|
||
}
|
||
$check = self::sign_remote_comment_parameters( $post_array, $blog_token->secret );
|
||
if ( is_wp_error( $check ) ) {
|
||
wp_die( esc_html( $check ) );
|
||
}
|
||
|
||
// Bail if token is expired or not valid.
|
||
if ( ! hash_equals( $check, $post_array['sig'] ) ) {
|
||
wp_die( esc_html__( 'Invalid security token.', 'jetpack' ), 400 );
|
||
}
|
||
|
||
/** This filter is documented in modules/comments/comments.php */
|
||
if ( ! apply_filters( 'jetpack_comment_form_enabled_for_' . get_post_type( $post_array['comment_post_ID'] ), true ) ) {
|
||
// In case the comment POST is legit, but the comments are
|
||
// now disabled, we don't allow the comment.
|
||
|
||
wp_die( esc_html__( 'Comments are not allowed.', 'jetpack' ), 403 );
|
||
}
|
||
}
|
||
|
||
/**
|
||
* Handle Jetpack Comments POST requests: process the comment form, then client-side POST the results to the self-hosted blog
|
||
*
|
||
* This function exists because when we submit the form via the jetpack.wordpress.com iframe
|
||
* in Chrome the request comes in to Jetpack but for some reason the request doesn't have access to cookies yet.
|
||
* By submitting the form again locally with the same data the process works as expected.
|
||
*
|
||
* @return never
|
||
*/
|
||
public function retry_submit_comment_form_locally() {
|
||
// We are not doing any validation here since all the validation will be done again by pre_comment_on_post().
|
||
// phpcs:ignore WordPress.Security.NonceVerification.Missing
|
||
$comment_data = stripslashes_deep( $_POST );
|
||
?>
|
||
<!DOCTYPE html>
|
||
<html>
|
||
<head>
|
||
<link rel="preload" as="image" href="https://jetpack.wordpress.com/wp-admin/images/spinner.gif"> <!-- Preload the spinner image -->
|
||
<meta charset="utf-8">
|
||
<title><?php echo esc_html__( 'Submitting Comment', 'jetpack' ); ?></title>
|
||
<style type="text/css">
|
||
body {
|
||
display: table;
|
||
width: 100%;
|
||
height: 60%;
|
||
position: absolute;
|
||
top: 0;
|
||
left: 0;
|
||
overflow: hidden;
|
||
color: #333;
|
||
}
|
||
</style>
|
||
</head>
|
||
<body>
|
||
<img src="https://jetpack.wordpress.com/wp-admin/images/spinner.gif" >
|
||
<form id="jetpack-remote-comment-post-form" action="<?php echo esc_url( get_site_url() ); ?>/wp-comments-post.php?for=jetpack&only_once=true" method="POST">
|
||
<?php foreach ( $comment_data as $key => $val ) : ?>
|
||
<input type="hidden" name="<?php echo esc_attr( $key ); ?>" value="<?php echo esc_attr( $val ); ?>" />
|
||
<?php endforeach; ?>
|
||
</form>
|
||
|
||
<script type="text/javascript">
|
||
document.getElementById("jetpack-remote-comment-post-form").submit();
|
||
</script>
|
||
</body>
|
||
</html>
|
||
<?php
|
||
exit;
|
||
}
|
||
|
||
/** Capabilities **********************************************************/
|
||
|
||
/**
|
||
* Add some additional comment meta after comment is saved about what
|
||
* service the comment is from, the avatar, user_id, etc...
|
||
*
|
||
* @since 1.4
|
||
*
|
||
* @param int $comment_id The comment ID.
|
||
*/
|
||
public function add_comment_meta( $comment_id ) {
|
||
$comment_meta = array();
|
||
|
||
// phpcs:disable WordPress.Security.NonceVerification.Missing
|
||
switch ( $this->is_highlander_comment_post() ) {
|
||
case 'facebook':
|
||
$comment_meta['hc_post_as'] = 'facebook';
|
||
$comment_meta['hc_avatar'] = isset( $_POST['hc_avatar'] ) ? filter_var( wp_unslash( $_POST['hc_avatar'] ) ) : null;
|
||
$comment_meta['hc_foreign_user_id'] = isset( $_POST['hc_userid'] ) ? filter_var( wp_unslash( $_POST['hc_userid'] ) ) : null;
|
||
break;
|
||
|
||
// phpcs:ignore WordPress.WP.CapitalPDangit
|
||
case 'wordpress':
|
||
// phpcs:ignore WordPress.WP.CapitalPDangit
|
||
$comment_meta['hc_post_as'] = 'wordpress';
|
||
$comment_meta['hc_avatar'] = isset( $_POST['hc_avatar'] ) ? filter_var( wp_unslash( $_POST['hc_avatar'] ) ) : null;
|
||
$comment_meta['hc_foreign_user_id'] = isset( $_POST['hc_userid'] ) ? filter_var( wp_unslash( $_POST['hc_userid'] ) ) : null;
|
||
$comment_meta['hc_wpcom_id_sig'] = isset( $_POST['hc_wpcom_id_sig'] ) ? filter_var( wp_unslash( $_POST['hc_wpcom_id_sig'] ) ) : null; // since 1.9.
|
||
break;
|
||
|
||
case 'jetpack':
|
||
$comment_meta['hc_post_as'] = 'jetpack';
|
||
$comment_meta['hc_avatar'] = isset( $_POST['hc_avatar'] ) ? filter_var( wp_unslash( $_POST['hc_avatar'] ) ) : null;
|
||
$comment_meta['hc_foreign_user_id'] = isset( $_POST['hc_userid'] ) ? filter_var( wp_unslash( $_POST['hc_userid'] ) ) : null;
|
||
break;
|
||
|
||
}
|
||
// phpcs:enable WordPress.Security.NonceVerification.Missing
|
||
|
||
// Bail if no extra comment meta.
|
||
if ( empty( $comment_meta ) ) {
|
||
return;
|
||
}
|
||
|
||
// Loop through extra meta and add values.
|
||
foreach ( $comment_meta as $key => $value ) {
|
||
add_comment_meta( $comment_id, $key, $value, true );
|
||
}
|
||
}
|
||
|
||
/**
|
||
* Should show the subscription modal
|
||
*
|
||
* @return boolean
|
||
*/
|
||
public function should_show_subscription_modal() {
|
||
|
||
// Not allow it to run on self-hosted or simple sites
|
||
if ( ! ( new Host() )->is_wpcom_platform() || ( new Host() )->is_wpcom_simple() ) {
|
||
return false;
|
||
}
|
||
|
||
// phpcs:disable WordPress.Security.NonceVerification.Missing
|
||
$is_current_user_subscribed = (bool) isset( $_POST['is_current_user_subscribed'] ) ? filter_var( wp_unslash( $_POST['is_current_user_subscribed'] ) ) : null;
|
||
|
||
// Atomic sites with jetpack_verbum_subscription_modal option enabled
|
||
$modal_enabled = ( new Host() )->is_woa_site() && get_option( 'jetpack_verbum_subscription_modal', true );
|
||
|
||
return $modal_enabled && ! $is_current_user_subscribed;
|
||
}
|
||
|
||
/**
|
||
* Get the data to send as an event to the parent window on subscription modal
|
||
*
|
||
* @param string $url url to redirect to.
|
||
*
|
||
* @return array
|
||
*/
|
||
public function get_subscription_modal_data_to_parent( $url ) {
|
||
// phpcs:ignore WordPress.Security.NonceVerification.Missing
|
||
$current_user_email = isset( $_POST['email'] ) ? filter_var( wp_unslash( $_POST['email'] ) ) : null;
|
||
// phpcs:ignore WordPress.Security.NonceVerification.Missing
|
||
$post_id = isset( $_POST['comment_post_ID'] ) ? filter_var( wp_unslash( $_POST['comment_post_ID'] ) ) : null;
|
||
return array(
|
||
'url' => $url,
|
||
'email' => $current_user_email,
|
||
'blog_id' => esc_attr( \Jetpack_Options::get_option( 'id' ) ),
|
||
'post_id' => esc_attr( $post_id ),
|
||
'lang' => esc_attr( get_locale() ),
|
||
'is_logged_in' => isset( $_POST['hc_userid'] ),
|
||
);
|
||
}
|
||
|
||
/**
|
||
* Track the hidden event for the subscription modal
|
||
*/
|
||
public function subscription_modal_status_track_event() {
|
||
$tracking_event = 'hidden_disabled';
|
||
// Not allow it to run on self-hosted or simple sites
|
||
if ( ! ( new Host() )->is_wpcom_platform() || ( new Host() )->is_wpcom_simple() ) {
|
||
$tracking_event = 'hidden_self_hosted';
|
||
}
|
||
|
||
// phpcs:disable WordPress.Security.NonceVerification.Missing
|
||
$is_current_user_subscribed = (bool) isset( $_POST['is_current_user_subscribed'] ) ? filter_var( wp_unslash( $_POST['is_current_user_subscribed'] ) ) : null;
|
||
|
||
if ( $is_current_user_subscribed ) {
|
||
$tracking_event = 'hidden_already_subscribed';
|
||
}
|
||
|
||
$jetpack = Jetpack::init();
|
||
// $jetpack->stat automatically prepends the stat group with 'jetpack-'
|
||
$jetpack->stat( 'subscribe-modal-comm', $tracking_event );
|
||
$jetpack->do_stats( 'server_side' );
|
||
}
|
||
|
||
/**
|
||
* Catch the duplicated comment error and show a custom error page
|
||
*
|
||
* @return never
|
||
*/
|
||
public function capture_comment_duplicate_trigger() {
|
||
if ( ! isset( $_GET['for'] ) || 'jetpack' !== $_GET['for'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
|
||
exit;
|
||
}
|
||
|
||
?>
|
||
<!DOCTYPE html>
|
||
<html <?php language_attributes(); ?>>
|
||
<!--<![endif]-->
|
||
<head>
|
||
<meta charset="<?php bloginfo( 'charset' ); ?>" />
|
||
<title>
|
||
<?php
|
||
wp_kses_post(
|
||
printf(
|
||
/* translators: %s is replaced by an ellipsis */
|
||
__( 'Submitting Comment%s', 'jetpack' ), // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
|
||
'…'
|
||
)
|
||
);
|
||
?>
|
||
</title>
|
||
<style type="text/css">
|
||
body {
|
||
display: table;
|
||
width: 100%;
|
||
height: 60%;
|
||
position: absolute;
|
||
top: 0;
|
||
left: 0;
|
||
overflow: hidden;
|
||
color: #333;
|
||
padding-top: 3%;
|
||
}
|
||
div {
|
||
text-align: left;
|
||
margin: 0;
|
||
padding: 0;
|
||
display: table-cell;
|
||
vertical-align: top;
|
||
font-family: "HelveticaNeue-Light", "Helvetica Neue Light", "Helvetica Neue", sans-serif;
|
||
font-weight: normal;
|
||
}
|
||
|
||
h3 {
|
||
margin: 0;
|
||
padding-bottom: 3%;
|
||
font-family: "HelveticaNeue-Light", "Helvetica Neue Light", "Helvetica Neue", sans-serif;
|
||
font-weight: normal;
|
||
}
|
||
a {
|
||
text-decoration: underline;
|
||
color: #333 !important;
|
||
}
|
||
</style>
|
||
</head>
|
||
<body>
|
||
<div>
|
||
<h3>
|
||
<?php
|
||
esc_html_e( 'Duplicate comment detected; it looks as though you’ve already said that!', 'jetpack' );
|
||
?>
|
||
</h3>
|
||
<a href="javascript:backToComments()"><?php esc_html_e( '« Back', 'jetpack' ); ?></a>
|
||
</div>
|
||
<script type="text/javascript">
|
||
function backToComments() {
|
||
const test = regexp => {
|
||
return regexp.test(navigator.userAgent);
|
||
};
|
||
if (test(/chrome|chromium|crios|safari|edg/i)) {
|
||
history.go(-2);
|
||
return;
|
||
}
|
||
history.back();
|
||
}
|
||
</script>
|
||
|
||
</body>
|
||
</html>
|
||
<?php
|
||
exit;
|
||
}
|
||
|
||
/**
|
||
* POST the submitted comment to the iframe
|
||
*
|
||
* @param string $url The comment URL origin.
|
||
*/
|
||
public function capture_comment_post_redirect_to_reload_parent_frame( $url ) {
|
||
if ( ! isset( $_GET['for'] ) || 'jetpack' !== $_GET['for'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
|
||
return $url;
|
||
}
|
||
|
||
$should_show_subscription_modal = $this->should_show_subscription_modal();
|
||
|
||
// Track event when not showing the subscription modal
|
||
if ( ! $should_show_subscription_modal ) {
|
||
$this->subscription_modal_status_track_event();
|
||
}
|
||
?>
|
||
<!DOCTYPE html>
|
||
<html <?php language_attributes(); ?>>
|
||
<!--<![endif]-->
|
||
<head>
|
||
<meta charset="<?php bloginfo( 'charset' ); ?>" />
|
||
<title>
|
||
<?php
|
||
wp_kses_post(
|
||
printf(
|
||
/* translators: %s is replaced by an ellipsis */
|
||
__( 'Submitting Comment%s', 'jetpack' ), // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
|
||
'…'
|
||
)
|
||
);
|
||
?>
|
||
</title>
|
||
<style type="text/css">
|
||
body {
|
||
display: table;
|
||
width: 100%;
|
||
height: 60%;
|
||
position: absolute;
|
||
top: 0;
|
||
left: 0;
|
||
overflow: hidden;
|
||
color: #333;
|
||
padding-top: 3%;
|
||
}
|
||
|
||
h3 {
|
||
text-align: center;
|
||
margin: 0;
|
||
padding: 0;
|
||
display: table-cell;
|
||
vertical-align: top;
|
||
font-family: "HelveticaNeue-Light", "Helvetica Neue Light", "Helvetica Neue", sans-serif;
|
||
font-weight: normal;
|
||
}
|
||
|
||
.hidden {
|
||
opacity: 0;
|
||
}
|
||
|
||
h3 span {
|
||
-moz-transition-property: opacity;
|
||
-moz-transition-duration: 1s;
|
||
-moz-transition-timing-function: ease-in-out;
|
||
|
||
-webkit-transition-property: opacity;
|
||
-webkit-transition-duration: 1s;
|
||
-webbit-transition-timing-function: ease-in-out;
|
||
|
||
-o-transition-property: opacity;
|
||
-o-transition-duration: 1s;
|
||
-o-transition-timing-function: ease-in-out;
|
||
|
||
-ms-transition-property: opacity;
|
||
-ms-transition-duration: 1s;
|
||
-ms-transition-timing-function: ease-in-out;
|
||
|
||
transition-property: opacity;
|
||
transition-duration: 1s;
|
||
transition-timing-function: ease-in-out;
|
||
}
|
||
</style>
|
||
</head>
|
||
<body>
|
||
<?php if ( ! $should_show_subscription_modal ) { ?>
|
||
<h3>
|
||
<?php
|
||
wp_kses_post(
|
||
printf(
|
||
/* translators: %s is replaced by HTML markup to include an ellipsis */
|
||
__( 'Submitting Comment%s', 'jetpack' ), // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
|
||
'<span id="ellipsis" class="hidden">…</span>'
|
||
)
|
||
);
|
||
?>
|
||
</h3>
|
||
<script type="text/javascript">
|
||
try {
|
||
window.parent.location.href = <?php echo wp_json_encode( $url ); ?>;
|
||
} catch (e) {
|
||
window.location.href = <?php echo wp_json_encode( $url ); ?>;
|
||
}
|
||
ellipsis = document.getElementById('ellipsis');
|
||
|
||
function toggleEllipsis() {
|
||
ellipsis.className = ellipsis.className ? '' : 'hidden';
|
||
}
|
||
|
||
setInterval(toggleEllipsis, 1200);
|
||
</script>
|
||
<?php } else { ?>
|
||
<h3>
|
||
<?php
|
||
wp_kses_post(
|
||
print __( 'Comment sent', 'jetpack' ) // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
|
||
);
|
||
?>
|
||
</h3>
|
||
<script type="text/javascript">
|
||
if ( window.parent && window.parent !== window ) {
|
||
|
||
window.parent.postMessage(
|
||
{
|
||
type: 'subscriptionModalShow',
|
||
data: <?php echo wp_json_encode( $this->get_subscription_modal_data_to_parent( $url ) ); ?>,
|
||
},
|
||
window.location.origin
|
||
);
|
||
}
|
||
</script>
|
||
<?php } ?>
|
||
</body>
|
||
</html>
|
||
<?php
|
||
exit;
|
||
}
|
||
}
|
||
|
||
Jetpack_Comments::init();
|