|
114 | 114 | SET `read` = now() |
115 | 115 | WHERE profile_id = {$profile['profile_id']};"; |
116 | 116 |
|
117 | | - //$comment_result = mysqli_query($link, $comment_sql); |
| 117 | + $comment_result = mysqli_query($link, $comment_sql); |
118 | 118 |
|
119 | 119 | echo json_encode( |
120 | 120 | array( |
|
131 | 131 |
|
132 | 132 | if (getenv('REQUEST_METHOD') == 'GET' && ! isset($_GET['profileId'])) { |
133 | 133 | $get_comments_sql = isset($_GET['articleId']) ? "'{$_GET ['articleId']}'" : "ANY (SELECT article_id FROM for_comments)"; |
134 | | - $order_sql = isset($_GET['origin']) ? "banned ASC, flags DESC, updated DESC, created DESC LIMIT 1000" : "path"; |
| 134 | + $order_sql = isset($_GET['origin']) ? "banned ASC, flags DESC, IF (updated > created, updated, created) DESC LIMIT 1000" : "path"; |
135 | 135 | $profile_id_sql = isset($profile) ? "{$profile['profile_id']}" : "null"; |
| 136 | + $deleted_sql = isset($_GET['origin']) ? "" : "AND for_comments.deleted = 0"; |
136 | 137 |
|
137 | 138 | $comments_sql = "SELECT for_comments.*, |
138 | 139 | for_profiles.email, |
|
157 | 158 | ON for_comments.comment_id = for_likes.comment_id |
158 | 159 | AND for_likes.profile_id = $profile_id_sql |
159 | 160 | WHERE for_comments.article_id = $get_comments_sql |
| 161 | + $deleted_sql |
160 | 162 | ORDER BY $order_sql;"; |
161 | 163 |
|
162 | 164 | $comments_result = mysqli_query($link, $comments_sql); |
|
208 | 210 | $comment_sql = false; |
209 | 211 | $like_sql = false; |
210 | 212 |
|
| 213 | + /** |
| 214 | + * Strip HTML tags, attributes and new lines at the end; |
| 215 | + * Some tags and attributes are allowed. |
| 216 | + */ |
| 217 | + |
| 218 | + if (isset($post_comment['comment'])) { |
| 219 | + $commentHtml = html_entity_decode($post_comment['comment']); |
| 220 | + $commentHtml = strip_tags($commentHtml, |
| 221 | + '<img><a><i><b><em><strong><br>'); |
| 222 | + |
| 223 | + $dom = new DOMDocument(); |
| 224 | + |
| 225 | + /** |
| 226 | + * Some stupid error for invalid content. |
| 227 | + * Diable it temporary. |
| 228 | + * http://stackoverflow.com/questions/1685277/warning-domdocumentloadhtml-htmlparseentityref-expecting-in-entity |
| 229 | + */ |
| 230 | + |
| 231 | + $internalErrors = libxml_use_internal_errors(true); |
| 232 | + |
| 233 | + /** |
| 234 | + * Need to force utf-8 for bulgarian characters. |
| 235 | + */ |
| 236 | + |
| 237 | + $dom->loadHTML('<?xml encoding="utf-8" ?>' . $commentHtml); |
| 238 | + |
| 239 | + /** |
| 240 | + * Restore internal errors. |
| 241 | + */ |
| 242 | + |
| 243 | + libxml_use_internal_errors($internalErrors); |
| 244 | + |
| 245 | + $xpath = new DOMXPath($dom); |
| 246 | + $elements = $xpath->query("//*"); |
| 247 | + |
| 248 | + foreach ($elements as $element) { |
| 249 | + for ($i = $element->attributes->length; -- $i >= 0;) { |
| 250 | + $name = $element->attributes->item($i)->name; |
| 251 | + |
| 252 | + if (('img' === $element->nodeName && 'src' === $name) || |
| 253 | + ('img' === $element->nodeName && 'alt' === $name) || |
| 254 | + ('a' === $element->nodeName && 'href' === $name) || |
| 255 | + ('a' === $element->nodeName && 'target' === $name)) { |
| 256 | + |
| 257 | + continue; |
| 258 | + } |
| 259 | + |
| 260 | + $element->removeAttribute($name); |
| 261 | + } |
| 262 | + } |
| 263 | + |
| 264 | + $commentHtml = $dom->saveHTML(); |
| 265 | + |
| 266 | + /** |
| 267 | + * This one above will wrap everything in paragraph. |
| 268 | + */ |
| 269 | + |
| 270 | + $commentHtml = strip_tags($commentHtml, |
| 271 | + '<img><a><i><b><em><strong><br>'); |
| 272 | + |
| 273 | + $post_comment['comment'] = preg_replace( |
| 274 | + '#(( ){0,}<br( {0,})(/{0,1})>){1,}$#i', '', $commentHtml); |
| 275 | + $post_comment['comment'] = mysqli_real_escape_string($link, |
| 276 | + $post_comment['comment']); |
| 277 | + } |
| 278 | + |
211 | 279 | if (isset($post_comment['parentCommentId'])) { |
212 | 280 | $get_parent_comment_sql = "SELECT * FROM for_comments |
213 | 281 | WHERE comment_id = {$post_comment['parentCommentId']} |
|
0 commit comments