Code to clean up html in user comments.
Ilya1st - November 23, 2007 - 17:49
| Project: | Safe HTML |
| Version: | 6.x-7.x-dev |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Ilya1st |
| Status: | closed |
Description
function safehtml_comment(&$a1, $op){
switch($op){
case 'update':
case 'insert':
$arr = array_keys(filter_list_format($a1['format'] ) );
if($c = db_fetch_object(db_query('SELECT cid, comment, format FROM {comments} WHERE cid=%d', $a1['cid'] ) ) ){
if (in_array('safehtml/0', $arr) ) {
if (!defined('XML_HTMLSAX3')) {
define('XML_HTMLSAX3', '');
}
require_once('classes/safehtml.php');
$c->comment = _safehtml_parse($c->comment, $comment->format);
db_query('UPDATE {comments} SET comment=\'%s\' WHERE cid=%d', $c->comment, $c->cid);
}
}
}
}
#1
#2
Thank you...
Please provide a patch in order to add this function to module.
#3
#4
Here is a patch. I want to maintain this module and port them to 6.x
#5
Thanks Ilya1st,
I would be happy to have more developers to this module. Please apply to an CVS account in order to add you to the module developers. See Apply for contributions CVS access.
You can fid other guides using Drupal CVS on http://drupal.org/handbook/cvs
Best regards.
#6
About the provided patch...
With this patch two additional queries will run when a comment is inserted/updated... It's a performance issue.
Why not trying to filter when "validate" operation occur? There we can alter the user input without running additional queries. Please take a look at the code below.
<?phpfunction safehtml_comment(&$a1, $op){
if ($op == 'validate') {
$arr = array_keys(filter_list_format($a1['format']));
if (in_array('safehtml/0', $arr) ) {
if (!defined('XML_HTMLSAX3')) {
define('XML_HTMLSAX3', '');
}
require_once('classes/safehtml.php');
$a1['comment'] = _safehtml_parse($a1['comment'], $a1['format']);
}
}
}
?>
Can you test this code?
Thank you!
#7
Why not trying to filter when "validate" operation occur? There we can alter the user input without running additional queries. Please take a look at the code below.
In drupal 5.x "validate" as I have tested does not avoid comment sending. So code does not work.
Yes, this is a performance issue but comment module use own form and validate works only for node form code.
That's why I had to add my code to prevalidate comment. There is no way validate comment internals before inserting to database.
There is no such hook in the drupal 5.x comment module. Why there is not - I do not now.
Another way - write custom comment module with this hook. :-) and turn off standard.
It will improve performance. Yes.
For now for comment module there is only such solution as in the patch.
Look at the functions:
function comment_validate($edit) { - here $edit but not the pointer &$edit
and another:
#8
Yes I've rechecked node
comment_invoke_comment is called with 'validate' second argument so that hook does his validation but reallly comment is not affected.
Yes, it's possible just make form_set_error but wher comment allready in database.
may be there other hooks - make own precheck like capthca module do it on the form level. I don't know
#9
Fixed in http://drupal.org/cvs?commit=249576
#10