diff options
Diffstat (limited to '')
| -rw-r--r-- | src/web/_controller/_comments.php | 20 | ||||
| -rw-r--r-- | src/web/_model/_comments.php | 19 | ||||
| -rw-r--r-- | src/web/_views/comments.php | 2 | ||||
| -rw-r--r-- | src/web/core/controller.php | 23 |
4 files changed, 38 insertions, 26 deletions
diff --git a/src/web/_controller/_comments.php b/src/web/_controller/_comments.php index eea792f..3b8fe35 100644 --- a/src/web/_controller/_comments.php +++ b/src/web/_controller/_comments.php @@ -17,20 +17,12 @@ class _comments_controller extends Controller { } public function post(): void { - $author = ''; $content = ''; $ref = ''; - if ( - !array_key_exists('author', $_GET) || - !array_key_exists('content', $_GET) || - !array_key_exists('ref', $_GET) || - !array_key_exists('page', $_GET) - ) { - $this->error(400); return; - } - $author = trim($_GET['author']); - $content = trim($_GET['content']); - $page = $_GET['page']; - $ref = $_GET['ref']; + $author = trim($this->post_data('author')); + $content = trim($this->post_data('content')); + $page = $this->post_data('page'); + $ref = $this->post_data('ref'); + $url = NULL; $author_len = strlen($author); @@ -55,7 +47,7 @@ class _comments_controller extends Controller { try { $ref = base64_decode($ref); $url = parse_url($ref); - if (!$url && array_key_exists('host', $url)) { + if (!$url || array_key_exists('host', $url)) { // dont allow redirects off this site $this->error(400); return; diff --git a/src/web/_model/_comments.php b/src/web/_model/_comments.php index f36c642..3518508 100644 --- a/src/web/_model/_comments.php +++ b/src/web/_model/_comments.php @@ -1,6 +1,13 @@ <?php /* Copyright (c) 2024 Freya Murphy */ class _comments_model extends Model { + private $profanity; + + function __construct() + { + $this->profanity = $this->load_profanity(); + } + private function load_profanity() { $path = ASSET_ROOT . '/profanity.txt'; @@ -24,8 +31,7 @@ class _comments_model extends Model { public function is_vulgar($text) { - $profanity = $this->load_profanity(); - return preg_match($profanity, $text); + return preg_match($this->profanity, $text); } public function get_comments($page) @@ -45,15 +51,6 @@ class _comments_model extends Model { return $result; } - public function ban_user() - { - $ip = CONTEXT['ip']; - $this->db() - ->insert_into('admin.banned', 'ip', 'reason') - ->values($ip, 'vulgar language') - ->execute(); - } - public function post_comment($author, $content, $page, $vulgar) { $ip = CONTEXT['ip']; diff --git a/src/web/_views/comments.php b/src/web/_views/comments.php index d566549..f67a90b 100644 --- a/src/web/_views/comments.php +++ b/src/web/_views/comments.php @@ -17,7 +17,7 @@ ?> <div class="new"> <h3><?=lang('new_comment_title')?></h3> - <form id="new_comment" method="get" action="<?=$this->get_url('_comments/post')?>"> + <form id="new_comment" method="post" action="<?=$this->get_url('_comments/post')?>"> <div><input type="text" name="author" diff --git a/src/web/core/controller.php b/src/web/core/controller.php index ac1e458..ca892e2 100644 --- a/src/web/core/controller.php +++ b/src/web/core/controller.php @@ -39,4 +39,27 @@ abstract class Controller extends Component { die(); } + /** + * Returns HTTP POST information if POST request. + * Returns 405 Method Not Allowed if not. + * + * If $key is specified, returns only that key. otherwise + * returns HTTP 400 Bad Request; + */ + protected function post_data(?string $key = NULL): array|string + { + // only post requests allowed + if ($_SERVER['REQUEST_METHOD'] != 'POST') + $this->error(405); + + // return entire $_POST array + if (!$key) + return $_POST; + + if (!isset($_POST[$key])) + $this->error(400); + + return $_POST[$key]; + } + } |