1 files changed, 87 insertions, 0 deletions

diff --git a/src/web/_controller/_comments.php b/src/web/_controller/_comments.php
new file mode 100644
index 0000000..4b87a94
--- /dev/null
+++ b/src/web/_controller/_comments.php
@@ -0,0 +1,87 @@
+<?php /* Copyright (c) 2024 Freya Murphy */
+class _comments_controller extends Controller {
+
+	private $comments_model;
+
+	function __construct($load) {
+		parent::__construct($load);
+		$this->comments_model = $this->load->model('_comments');
+	}
+
+
+	public function comments($page, $ref): void {
+		$data = $this->comments_model->get_comments($page);
+		$this->view('comments', array(
+			'comments' => $data,
+			'ref' => $ref,
+			'page' => $page
+		));
+	}
+
+	public function post(): void {
+		$author = ''; $content = ''; $ref = '';
+		if (
+			!array_key_exists('author', $_GET) ||
+			!array_key_exists('content', $_GET) ||
+			!array_key_exists('ref', $_GET) ||
+			!array_key_exists('page', $_GET)
+		) {
+			$this->error(400); return;
+		}
+
+		$author = trim($_GET['author']);
+		$content = trim($_GET['content']);
+		$page = $_GET['page'];
+		$ref = $_GET['ref'];
+		$url = NULL;
+
+		$author_len = strlen($author);
+		$content_len = strlen($content);
+
+		if ($author_len < 1 || $content_len < 1) {
+			$this->error(400);
+			return;
+		}
+
+		if ($author_len > 30 || $content_len > 500) {
+			$this->error(413);
+			return;
+		}
+
+		if (base64_encode(base64_decode($ref)) !== $ref) {
+			// invalid base64
+			$this->error(400);
+			return;
+		}
+
+		try {
+			$ref = base64_decode($ref);
+			$url = parse_url($ref);
+			if (!$url && array_key_exists('host', $url)) {
+				// dont allow redirects off this site
+				$this->error(400);
+				return;
+			}
+		} catch (Exception $e) {
+			$this->error(400);
+			return;
+		}
+
+		$vulgar = 'false';
+		if (
+			$this->comments_model->is_vulgar($author) ||
+			$this->comments_model->is_vulgar($content)
+		) {
+			$vulgar = 'true';
+		}
+
+		$result = $this->comments_model
+			->post_comment($author, $content, $page, $vulgar);
+
+		if ($result) {
+			header('Location: ' . $this->main->get_url($ref) . '#comments');
+		} else {
+			$this->error(500);
+		}
+	}
+}