tags not being escaped.
* hashover/scripts/javascript-mode.php
- Improved embedded images, now automatically closes upon error.
- Fixed: Thread link not displayed on some replies after sorting.
- Fixed: Tabs and spaces being trimmed from block HTML tags.
* hashover/scripts/jsminifier.php
- Now removing entire line when removing single-line code comments.
- Smarter indentation and whitespace removal.
Changes by Jacob Barkdull 2016-01-01
--------------------------------------------------------------------------------
* Improved Markdown, allow the erroneous use of grave accents as apostrophes.
* Now only getting the current date once when parsing comments.
* Small bug fixes.
Changes by Jacob Barkdull 2015-12-31
--------------------------------------------------------------------------------
* Fixed: Posting date, status, other fields are updated when editing comments.
* For better posting dates, time is no longer compared when parsing comments.
* Minor improvements, CSS changes.
Changes by Jacob Barkdull 2015-12-30
--------------------------------------------------------------------------------
* Fixed: Local IP address blocklist not being checked.
* Fixed: Comment post date not taking time into account.
* Improved Markdown, now parsing Markdown in RSS.
* Added code comments to SpamCheck class.
Changes by Jacob Barkdull 2015-12-28
--------------------------------------------------------------------------------
* Fixed: "In reply to ..." link loses onClick event handler after sorting.
* Added code comments for Encryption class.
Changes by Jacob Barkdull 2015-12-24
--------------------------------------------------------------------------------
* Added basic markdown support.
Changes by Jacob Barkdull 2015-12-17
--------------------------------------------------------------------------------
* Added optional required field options
- The login inputs can now be individually set as required, meaning a
user will not be able to post or edit a comment, or login, without
properly filling the specific fields.
* Fixed: Login inputs with empty values aren't passed to the login method.
* Fixed: More comments are automatically shown when URL jump points to form.
* Fixed: Messages close after 10 seconds of the first one opened, not the last.
* Improved how failed comment post handling works.
* Removed individual settings for enabled login fields in favor of an array.
* Added locale string for individual required input error messages.
* Added a CSS class for styling required login inputs.
* Changed locales to reflect optional and required fields.
* Minor modifications to some icons.
* Improved custom login code.
* Renamed a couple variables.
* Reordered some functions.
* Improved default theme.
Changes by Jacob Barkdull 2015-12-12
--------------------------------------------------------------------------------
* Locales
- Replaced "_TITLE_", "_NUM_", and "_TIME_" with format specifiers.
- Now using printf functions instead of str_replace for locale strings.
- "Top of Thread" changed to "In reply to %s".
- Merged improvements to Spanish locale.
- Added Brazilian Portuguese locale.
- Added Romanian locale.
* hashover/scripts/writecomments.php
- Login code decoupled into separate files.
- `kickback ()` method no longer exits script.
- Class methods now have return values.
- Methods for posting and editing comments now return the comment as an
array when AJAX requests are made. This allows the receiving code to
encode the comment as JSON for AJAX requests.
* Added new Login and DefaultLogin classes
- New login class for handling custom login mechanisms.
- New default login class for default login mechanism.
* hashover/scripts/postcomments.php
- New file for posting comments, both the traditional way and via AJAX.
- This file also handles login.
* hashover/scripts/javascript-mode.php
- Added AJAX comment posting and editing.
- Comment and e-mail form validation now applies to edit forms as well.
- Edit forms now have their own message element for displaying errors.
- Fixed: Onclick only attached to one embedded image per comment.
- Fixed: Only one of multiple open message dialogs closing.
- Reply parsing now has access to their parent comment.
- "Top of Thread" changed to "In reply to ".
- Improved XSS escaping and utilizing it more.
- Very minor performance/memory improvements.
- Removed duplicate code.
* hashover/scripts/settings.php,
hashover/scripts/hashover.php
- Logic for comment reply nesting modified to allow a configurable
number of indentation levels, after which the thread is flattened.
- Added public $usesAJAX setting.
- Added public $streamDepth setting.
- Added public $JSONSettingsFile setting.
- Added public $loginMethod setting.
- Settings can now be set in a local JSON file.
* hashover/scripts/setup.php
- Merged in code to automatically adjust settings.
* hashover/scripts/readcomments.php
- Missing comment search now ~60% faster (~100 ms for 1000 comments).
* hashover/scripts/database.php,
hashover/scripts/parsesql.php
- Improved syntax of SQL statements.
- Tables are now created upon first posted comment.
- Conformed method return values to expected behavior.
- Removed redundant comment counting code.
- Bug fixes.
* Users re-logged in when editing comments
- If the user editing a comment changes their name, they are now
automatically logged in with that new name. This allows them to
continue to edit or delete their comment after saving their initial
edit, as otherwise they would still be logged in with the old name
and not have editing or deletion rights.
* Improved GET, POST, and COOKIE data filtering
- PHP code implementing HashOver should no longer see it affecting the
GET, POST, or COOKIE data in the global namespace in any way, as this
data is now filtered as required instead of all at once.
* Improved error handling
- Classes now throw Exceptions, and try/catch blocks are used to display
the error messages, `escapeOutput ()` has been removed and the new
`displayErrors ()` in the new Misc class is used as a wrapper instead.
* hashover/scripts/htmloutput.php
- Comment thread link function modified to include parent comment name.
* hashover/scripts/hashover.php
- `initiate ()` split into two methods, an added `finalize ()` method.
- Comments are no longer automatically parsed during initialization.
- Fixed: Most popular comments being sorted in reverse order.
* All images are now in a single directory
- Subdirectories "/pngs" and "/svgs" have been merged with "/images",
this simplifies the generation of paths to these image files, and
makes the pathnames easier to remember and type out.
* hashover/scripts/cookies.php
- Fixed: Cookies set with port, causing issues on ports other than 80.
* Removed closing PHP tags
- All class files and files intended for inclusion consisting entirely
of PHP code no longer have a closing PHP tag, the developers of PHP
recommend doing so for such files and it helps prevent a
"headers already sent" error on poorly configured web servers.
* Coding style changes
- Code following PHP opening tags is no longer indented one level,
except where PHP code is being aligned with other text in the
document, as with JavaScript code for example.
- My standard for function return types in languages like C, and other
Object Oriented languages like Java, is to place a newline after the
class method keywords and return type, which are to be on their own
line. My hope was for PHP to eventually gain strict function return
type declarations, and for my standard to apply to PHP as well.
While PHP has gained scalar type declarations with version 7, the way
it's implemented is to specify the type, preceded by a colon, after
the function parameter list. This is ugly, and doesn't work well with
my standard style, so a different approach will be taken, for now,
the newlines will simply be done away with.
- Most associative array keys with underscores have been renamed to use
dashes instead. This is for readability, ease of typing, and the
separation in naming convention makes it easier to differentiate
HashOver specific variables from PHP global variables, and allows for
easier search and replace of just HashOver variables when necessary.
* Added files:
hashover/scripts/defaultlogin.php,
hashover/scripts/login.php,
hashover/scripts/misc.php,
hashover/scripts/postcomments.php,
hashover/scripts/postdata.php,
hashover/scripts/locales/pt_br.php,
hashover/scripts/locales/ro.php
Changes by Jacob Barkdull 2015-10-25
--------------------------------------------------------------------------------
* hashover/scripts/settings.php,
hashover/scripts/setup.php
- Remove requirement of unique administrative login name.
Changes by Jacob Barkdull 2015-10-13
--------------------------------------------------------------------------------
* hashover.js,
hashover/scripts/htmloutput.php
- URL-encode URL queries as well as URLs in URL queries.
- URL-encode page title, improves handling of Unicode page titles.
Changes by Jacob Barkdull 2015-08-23
--------------------------------------------------------------------------------
* hashover/scripts/setup.php
- Fixed administrative login.
Changes by Jacob Barkdull 2015-08-15
--------------------------------------------------------------------------------
* hashover/scripts/writecomments.php
- Added 5 second delay to failed comment edit or deletion.
This throttles login attempts by malicious users, making brute-force
login attempts a less viable option for attackers.
- Two CRLF end of lines are now used in e-mail notification messages.
Changes by Jacob Barkdull 2015-08-11
--------------------------------------------------------------------------------
* hashover/api/count-link.php,
hashover/scripts/hashover-javascript.php
- Now taking port numbers into account for referer checking.
- Removed unnecessary preg_match () function call.
Changes by Jacob Barkdull 2015-08-06
--------------------------------------------------------------------------------
* hashover/scripts/htmloutput.php
- Login button no longer shown if names and/or passwords are disabled.
* hashover/scripts/writecomments.php
- Now using proper CRLF (\r\n) for e-mail message body.
- Check for parent comment e-mail and encryption keys before using them.
- When editing a comment, the new comment data array is now merged with
the old comment data array, instead of overriding each key.
Changes by Jacob Barkdull 2015-08-02
--------------------------------------------------------------------------------
* Conform to coding standard
- All class files now exit with a notice when executed directly.
- Now using strict comparisons instead of shorthand ifs. This prevents
unnecessary type juggling.
- Some variables have been renamed.
* hashover/scripts/javascript-mode.php
- Fixed: Reply and Edit form actions set to wrong (old) filename. Form
action values are now set to `$_SERVER['PHP_SELF']`, which once this
file is included is `hashover-javascript.php`.
* hashover/scripts/database.php,
hashover/scripts/parsesql.php
- SQL now stores and uses e-mail MD5 hash for Gravatar icons.
- Rearranged statements for easier reading.
* New settings
- Set whether users can login and logout with:
public bool $allowsLogin = true;
- Set whether a user's first comment automatically logs them in with:
public bool $usesAutoLogin = true;
* hashover/scripts/htmloutput.php
- Notification e-mail subscription checkbox no longer shown if e-mail
address field is disabled.
- Login button no longer shown when user logins are disabled, however,
the logout button is still shown for users who are still logged in.
* hashover/api/count-link.php,
hashover/api/json.php,
hashover/api/latest.php,
hashover/scripts/hashover-javascript.php
- Now using application/javascript instead of text/javascript, this
helps ensure more servers will correctly compress HashOver's
JavaScript and JSON output when compression is enabled on the server.
Changes by Jacob Barkdull 2015-07-29
--------------------------------------------------------------------------------
* hashover/scripts/javascript-mode.php
- The JSON object for comment data is now iterated over by array key,
instead of enumerable properties. When the comment data consisted of
nested objects, enumerable property iteration was necessary, however,
the nested objects were replaced with arrays a while ago.
Although bad practice, developers sometimes add custom Prototype
methods to all Objects, Arrays, and/or Strings in the document.
Therefore iterating over the comment data by enumerable properties
isn't efficient and requires more work be done the more custom
methods are added to their Prototype.
This change also means other JavaScript on the same page as HashOver
will not conflict with HashOver if it happens to modify Prototypes.
- Changed some variable names.
- $() function breaks coding standard, renamed.
- Fixed: Early versions of Firefox, Chrome, and Internet Explorer don't
support Element.classList, fallback functionality has been added.
* hashover/scripts/htmloutput.php
- Fixed "JavaScript" hyperlink pointing to the wrong (old) filename.
- Minify based on operating system's end of line, not just Unix-style.
* hashover/scripts/templater.php
- Convert template output to operating system's end of line style.
* hashover/scripts/parsexml.php
- Fixed: Carriage returns not being trimmed from body.
Changes by Jacob Barkdull 2015-07-10
--------------------------------------------------------------------------------
* hashover.js,
hashover/scripts/javascript-mode.php,
hashover/scripts/javascript-output.php
- javascript-mode.php renamed to hashover-javascript.php.
- javascript-output.php renamed to javascript-mode.php.
- `head` variable now only defined when needed.
- `body` variable removed.
- Conform to coding standard.
- Minor bug fixes.
* hashover/api/count-link.php
- Use strict comparison.
Changes by Jacob Barkdull 2015-06-25
--------------------------------------------------------------------------------
* hashover/scripts/setup.php
- Strip "Magic Quotes" from POST, GET, and COOKIE data if enabled.
* hashover/scripts/statistics.php
- Conform to coding standard.
Changes by Jacob Barkdull 2015-06-22
--------------------------------------------------------------------------------
* hashover/scripts/writecomments.php
- Password cookie now stored as Blowfish hash (requires a re-login).
- E-mail cookie now stored as Mcrypt string (requires a re-login).
- Valid e-mail and HTTP prefix checks now also performed for cookies.
- Login no longer performs spam check.
* hashover/scripts/encryption.php
- `decrypt ()` now fails if any encryption hash offset is undefined.
* hashover/scripts/htmloutput.php
- Password input placeholder and title changes to "Confirm Password"
when editing a comment, as this is what that field is actually for.
It is normally automatically filled by the browser.
* hashover/scripts/cookies.php
- `clear ()` function now uses `expireCookie ($cookie)` function.
- `expireCookie ($cookie)` now uses `set ($name [, $value, $date])`.
Changes by Jacob Barkdull 2015-06-21
--------------------------------------------------------------------------------
* hashover/themes/default/style.css
- Fixed: Mobile CSS SVG background-image being applied to actual login
inputs element, instead of :before selector.
Changes by Jacob Barkdull 2015-06-20
--------------------------------------------------------------------------------
* hashover/scripts/javascript-output.php
- Minor performance and memory optimizations.
* hashover/scripts/jsminifier.php
- Smarter newline removal.
Changes by Jacob Barkdull 2015-06-19
--------------------------------------------------------------------------------
* Most code has moved to the TildeHash Coding Standard
- Indention is done with tabs, only one per code block.
- Curly braces are to be used wherever possible, including switches.
- Class property and method names use camelCase.
- Function definition names in the global namespace use snake_case.
- All variable names, in any scope or namespace, use snake_case.
- Variable and function naming convention demands only real words.
- Strict comparisons are to be used wherever possible.
- Class and function curly braces go on their own line.
- There should be a space before any function parentheses.
- There should be a space before and after any equals.
- There should be a space after function parameters and array items.
- There should be a newline after class method keywords.
- There should be a blank line before a return following multiple lines.
- There should be a blank line before a break following multiple lines.
- This coding standard is not final. Complete and detailed
documentation and rationale is forthcoming.
Discussion and suggestions are welcomed.
* Major rewrite of JavaScript mode
- HashOver no longer adds any variables or functions to the global
namespace, this means HashOver is now isolated. HashOver won't
interfere with other JavaScript on the same page, and users and
malicious JavaScript won't be able to write to HashOver's variables
or execute its functions that aren't meant to be remotely executed.
- Image tags are no longer used, instead the "background-image" CSS
style attribute is used. This results in fewer HTTP requests, and
avoids many performance issues related to image tags that don't apply
to background image style, such as width and height calculations and
onload event handling. This also avoids performance issues associated
with ad-blockers, such as "Adblock Plus".
- Almost all inline HTML has been removed from the JavaScript code,
instead a new class has been added that generates the HTML for use in
both the JavaScript mode and in PHP mode. This means that inline HTML
is still present in the generated JavaScript code users receive, but
it's not present in the actual JavaScript source code. The code
doesn't make use of JavaScript's built-in functions such as
"document.createElement ()" as these functions executed hundreds or
thousands of times are far too slow.
- Inline JavaScript event attributes (onClick="", etc) have been
removed as well. Instead they are added after the comments are
appended to the page's DOM. This will allow for a "hybrid" mode in
the future, where HashOver will execute in PHP mode, but JavaScript
will also be executed to handle various interactive behaviors.
- When enabled, JavaScript code can now be returned to the user in a
minified form, however, this code is not obfuscated. The code also
includes a smaller Copyright notice and a link to the non-minified
JavaScript code, as such is a requirement of the AGPL.
- HashOver's JavaScript execution time is now displayed in the console
of modern web browsers, when present.
- JavaScript now uses Strict Mode.
- The JSON data for comments is now passed to the JavaScript after its
PHP code has executed, and -- when enabled -- after it's been
minified. This makes minification faster, as the JSON data is
returned without pretty print when JavaScript minification is
enabled, and therefore it doesn't need to be minified anyway.
- Element.classList.add () is used instead of appending classes to
Element.className. This allows for easy adding and removing of
classes by name, and is slightly faster.
- Improved how various warning messages are handled. Namely, error
messages now have a different class than normal messages.
- Reply, Edit, and Like links are no longer included in the JSON
comment data. This greatly reduces the size of the JavaScript.
- Reply and Edit links now change to "Cancel" links after opening their
respective forms when clicked. When clicked again, they remove their
respective form and revert back to their initial state.
- Specific fields can no longer be disabled via JavaScript, instead
they are enabled or disabled in the Settings class.
* Major rewrite of PHP mode
- PHP mode is now a port of JavaScript mode. It should follow it
closely, excluding features that aren't possible with plain HTML,
such as interactive forms and sorting, likes, etc.
- PHP mode is implemented via object now. And should be instantiated
before any output is sent, as HashOver sets various cookies.
You implement it like so:
...
displayComments ();
?>
* Changes to how comments are stored
- Comments no longer contain plain text "\n" nor "
" tags. Comments
are stored multi-lined and parsed upon reading. When displayed,
comments are first parsed by paragraph, with each paragraph getting
wrapped in a tag, and then by line, with each line ending with a
tag. This allows different paragraph spacing via CSS, and
reduces the size of the JavaScript output.
* Changes to where HTML is located
- Most HTML has been moved to the new class HTMLOutput. This class
holds the HTML that is used in both JavaScript mode and PHP mode.
* User login information
- User login information is no longer placed in the document as hidden
inputs, instead, when posting a comment the cookies set on the user's
browser will be used as their login credentials.
* Password inputs no longer have cookie value
- This means that user passwords aren't placed in the value attribute
of the "Password" field of the various forms. This should,
technically provide some extra security from malicious JavaScript
that happens to be on the same page as HashOver.
Users shouldn't notice any difference, since web browsers
automatically fill password type inputs anyway.
* Changes to theme HTML templates
- HTML layout templates are now parsed by the new Templater class. The
structure of layout templates should be much easier to understand, as
the layout templates no longer use JavaScript variable concatenation.
Instead, a curly brace format is used.
For example:
{hashover:name} displays the user's name.
{comment:sort_date} displays the sort date from the JSON data.
{placeholder:test} displays a "placeholder" span tag.
* New settings
- Set whether users can enter their own name with:
public bool $allowsNames = true;
- Set whether users can protect their comments with a password with:
public bool $allowsPasswords = true;
- Set whether users can enter an e-mail address with:
public bool $allowsEmails = true;
- Set whether users can enter a website with:
public bool $allowsWebsites = true;
- Set whether comments must be approved before they appear with:
public bool $usesModeration = false;
- Position for primary form; options: 'top' or 'bottom'
public string $formPosition = 'top';
- Set whether to display labels above inputs with:
public bool $usesLabels = false;
- Set whether forms have "Cancel" buttons with:
public bool $usesCancelButtons = false;
- Set whether JavaScript output should be minified with:
public bool $minifiesJavaScript = false;
- Set how much to minify JavaScript code, options: 1, 2, 3, 4
public int $minifyLevel = 4;
- Set whether user deleted files are unlinked from the filesystem with:
public bool $userDeletionsUnlink = false;
* Removed unused public string $indention setting
Indention has been done using CSS for a while now.
* Added files:
hashover/images/pngs/pending-icon.png,
hashover/images/svgs/pending-icon.svg,
hashover/scripts/locales/tr.php,
hashover/scripts/hashover.php,
hashover/scripts/htmloutput.php,
hashover/scripts/htmltag.php,
hashover/scripts/javascript-output.php,
hashover/scripts/jsminifier.php,
hashover/scripts/templater.php,
* Renamed files:
hashover/images/pngs/delicon.png to deleted-icon.png
hashover/images/svgs/delicon.svg to deleted-icon.svg
hashover/api/count_link.php to count-link.php,
hashover/scripts/php-mode.php to phpmode.php,
hashover/scripts/displaycomments.php to commentparser.php
* Deleted files:
hashover/hashover.php
* Added Turkish locale by Tunay Eren Uyar (@T_E_U_Tunay)
* RSS now uses DOMDocument.
* Execution time is one-third lower with a large number of comments (1000+).
* Execution time is now in milliseconds, or in seconds if >= 1 second.
* Memory peak usage now properly stated as Mib.
* Fixed embedded images losing their events after sorting comments.
* Removed unused public string $parses_huge setting.
* Many variables and functions have been renamed.
* Improved SQL, table names are no longer snake_case'd thread directory names.
* "hashover_form" renamed to "hashover-form" in both HTML and CSS.
* Avatars no longer check Gravatar response codes.
* Minor improvements to some images.
* Other minor bug fixes.
Changes by Jacob Barkdull 2015-04-03
--------------------------------------------------------------------------------
* hashover/scripts/javascript-mode.php,
hashover/scripts/php-mode.php
- Inputs in the primary form are no longer separated into two divs on
mobile devices. Going forward, this should be done with CSS.
- Image format is no longer added as a class to the "hashover" div to
aid in styling on mobile devices. Instead "hashover-mobile" is, and
the default class is "hashover-desktop".
* hashover/scripts/php-mode.php
- Removed tag.
* hashover/themes/default/style.css
- "svg" class references changed to "hashover-mobile".
Changes by Jacob Barkdull 2015-04-01
--------------------------------------------------------------------------------
* hashover/scripts/javascript-mode.php
- Improved how various warning messages are handled.
- Logout button now has `hashover-logout` class.
* hashover/scripts/php-mode.php
- Logout button now has `hashover-logout` class.
Changes by Jacob Barkdull 2015-03-31
--------------------------------------------------------------------------------
* hashover.js
- Each script tag now has an ID of "hashover-script-