Changes by Jacob Barkdull 2017-08-09 -------------------------------------------------------------------------------- * Frontend settings have returned! HashOver 1.0 had limited frontend control over settings, like how tall the comment box is and which fields are enabled. For technical reasons this feature was removed early in development of HashOver 2.0. This feature is now back and better than ever. You now have much greater frontend control over settings, limited to settings that are safe to expose to the public, meaning you can't change the notification e-mail address from the frontend, for example, but most settings are available to change from the frontend. To use this new feature you need to do the following... 1. Use the new `hashover/loader.php` script instead of the `hashover/comments.php` script. 2. You need to use the `?nodefault` URL query. Please keep in mind that this query name might change before official release. The resulting script tag should look something like this: 3. In another script you will need to instantiate HashOver manually, in doing so you may specify the URL, title, thread, and settings. Like so: var hashover = new HashOver ({ url: 'http://example.com/cool-blog-post', title: 'Example Title of My Cool Blog Post', settings: { allowsImages: false, formPosition: 'bottom', fieldOptions: { password: false, email: false } } }); The code above disables embedded external images, changes the form position to be on the bottom of the comment thread, and disables the password and e-mail fields. You may also: require a field, change the theme, change the language, collapse the comments, and much more! Enjoy! As always, improvements are welcome! * Fixed: Posting a comment with required fields always threw an exception. * Fixed: Page reload when editing a comment when the e-mail field is disabled. * Fixed: The public `$imageFormat` setting was not being respected. * Improved: Admin comment moderation thread page "Back" button style. * Improved: Operating system specific line ending style conversation. * JavaScript: Only iterate over non-inherited object properties. * Differentiate backend redirect vs intend to display a message. * Decouple user edit moderation from overall moderation. * Fix/improve minified JavaScript Copyright notice. * Other minor CSS changes. Changes by Jacob Barkdull 2017-04-11 -------------------------------------------------------------------------------- * "Notify me of replies" checkbox default state is now configurable. * Escape HTML tags that get trimmed in half in the latest comments API. * Added new CSS file for latest comments API. * Added Greek locale by @Soulhub * Small CSS changes; removed most transitions. * Changed and added CSS Copyright notices. * Vertically flipped the paint brush icon. * Other minor improvements. Changes by Jacob Barkdull 2017-03-15 -------------------------------------------------------------------------------- * Fixed big, em, small, strong, sub, and sup tags are now automatically closed. * Automatically close tags that may have had their endings trimmed off. * Localized all admin views. Changes by Jacob Barkdull 2017-03-14 -------------------------------------------------------------------------------- * Date is now an absolute path in API and remote contexts. * Limited event handlers in the latest comments API. Changes by Jacob Barkdull 2017-03-13 -------------------------------------------------------------------------------- * Fixed JSONP shared code conflicts. Changes by Jacob Barkdull 2017-03-12 -------------------------------------------------------------------------------- * Fixed shared frontend code conflicts When either an API was used on the same page as HashOver, or when two API were used on the same page together, the two or more scripts would conflict with each other because the shared prototype methods were being added to the constructor from the previous script. Changes by Jacob Barkdull 2017-03-11 -------------------------------------------------------------------------------- * HashOver script tag can now safely be placed anywhere on the page. * Page URL and title removed from count link and latest comments API. * Improved admin sidebar navigation tracking. * Improved performance of admin login. * Fixed bug causing nonexistent files to resolve to `false`. * Untracked JSON config files. Changes by Jacob Barkdull 2017-03-03 -------------------------------------------------------------------------------- * Admin Settings page now only merges settings into `config/settings.json`. * Added missing files to Source Code viewer. * Made small improvements to admin views. * Improved locale optionality. Changes by Jacob Barkdull 2017-03-01 -------------------------------------------------------------------------------- * Added new setting to control metadata collection on localhost. * Fixed AJAX comment posting. * Fixed admin login issue. Changes by Jacob Barkdull 2017-02-28 -------------------------------------------------------------------------------- * Fixed the comment thread's automatic placement position on the page. * Added new locales to Source Code viewer. Changes by Jacob Barkdull 2017-02-26 -------------------------------------------------------------------------------- * MIGRATION INFORMATION - The `pages` directory is now `comments/threads`, this change will cause existing comments to not appear until you move the directories under `pages` into the new `comments/threads` directory. - All JSON config files have been moved to the new `config` directory, you will need to move the files `hashover/blocklist.json` and `hashover/ignored-queries.json` into the new `config` directory. If these files do not exist, you don't need to do anything as these config files are completely optional. - The previously removed `secrets.php` file has returned. The required setup information, namely the notification e-mail address, encryption key, and the admin username and password are now stored in this `secrets.php` file located at `/hashover/backend/classes/secrets.php`. You will need to move the values of the public properties `$notificationEmail`, `$encryptionKey`, `$adminName`, and `$adminPassword` in the `settings.php` file into the new `secrets.php` file, and remove these properties from `settings.php` or replace the `settings.php` file entirely, as its source code is publicly viewable, whereas the source code of `secrets.php` is not. - The file `hashover.js` has been removed, as it is no longer necessary, and replaced by the new `comments.php` file. This means you will need to update your JavaScript tag... From: To: * Removed dependancy on Mcrypt - Mcrypt is considered "abandonware" and has been deprecated in PHP 7. OpenSSL is now used in its place. There should be no compatibility issues, but please report any if you find any. * All new administrative control page - Comments may now be posted, moderated, edited, and deleted from the new administrative control page. This allows you to disable the "Password" field while retaining a way of moderating comments. This feature should be considered beta software, it will be improved. It has not yet been localized, it is only available in English. Anyone interested in having the admin page available in another language should feel free to translate the text and add the necessary strings to the respective locale file, I have already made the necessary preparations to facilitate your contribution. The admin control page is located at: /hashover/admin/ For example: http://example.com/hashover/admin/ You will be prompted for a login, use the username and password stored in "backend/classes/secrets.php" file's public `$adminName` and `$adminPassword` properties. Feedback and suggestions are welcome. * Improved metadata - Any kind of metadata can now be collected. The process has been simplified, for flat-file data formats metadata is stored as individual JSON files, for SQL(ite) databases metadata is stored as individual tables in the database. In both cases the metadata naming schemes is as follows: /metadata/, there is also the global metadata, which is at "comments/metadata" and the table "hashover-metadata" respectively. This change breaks backwards compatibility, new metadata will have to be generated. This can be done by simply viewing each page on your website that uses HashOver comments, or you can wait for your visitors to do that for you. The Googlebot web crawler may also cause metadata to be created eventually as well. * Beginning of more proper frontend/backend structure - The `HashOver` constructor function and its methods have been split into multiple individual files in the new "frontend" directory. - The "scripts" directory has been renamed to "backend". - All PHP class files have been moved into "backend/classes". - In the future more files may be moved into "backend" and the new "frontend" directory as well. Files under consideration for location change are: the "images" and "themes" directories. I am open to suggestions about the overall file/project structure. * JavaScript mode - Major code refactoring. - All PHP code has been removed from the JavaScript. Instead an AJAX request is sent to retrieve the necessary backend data. - JSONP has now been implemented, enabling AJAX for allowed remote domain connections, as well as enabling likes and dislikes. - The "api/json.php" file is no longer used to show more comments, the new "backend/load-comments.php" is now used instead. - Preliminary work toward allowing multiple HashOver instances on a single page. Specifically, multiple instances is now possible, however, element IDs still conflict with each other. - Elements are now expected to be prefixed with "hashover-", as to impose a pseudo-namespacing for HashOver specific elements. * Minor theming change - The main HashOver element now recieves a "hashover" class, and in the default theme styling HashOver is pseudo-namespaced based on this class instead of the "hashover" element ID. Custom themes should not break, but in the future there will be problems with themes based around the "hashover" element ID when using multiple instances of HashOver. For this reason, themes should move to using the "hashover" class instead. - Added a new "borderless" version of the default theme. * hashover/scripts/cookies.php - All cookie names are now prefixed with "hashover-", to impose a pseudo-namespace for HashOver specific cookies. * hashover/scripts/locale.php - Removed now unnecessary `get` and `set` methods. * hashover/scripts/misc.php - Removed now unnecessary `jsEscape` method. * Fixed: "setup.php" being displayed instead of "settings.php" in errors about required unique notification e-mail, encryption key, and admin password. My apologies for the confusion. * Improved latest comments API. * Improved comment count link API. * Improved SQL(ite) support. * Improved Spanish and Chinese locales. * Added Lithuanian locale by vKaotik. * Added Korean locale by dryoo. * Added Persian locale by paradox70. * Comments are now uncollapsed when loaded with a permalink. * JavaScript/JSON is now the assumed default mode. * PHP regular expressions now use the "study" flag. * The "Latest Comments" API frontend no longer uses its own stylesheet. * Removed the public `$executingScript` property from the `HashOver` class. * The `ReadComments` class has been renamed to `Thread`. * The `JSMinifier` class has been renamed to `JavaScriptMinifier`. * The `ReadFiles` class has been renamed to `CommentFiles`. * Fixed JavaScript minification. * Added centralized source code viewer for all AGPL licensed PHP files. * Removed code to display source code from every PHP file. * Made some small improvements to the icons images. * Markdown can now be disabled. * Small bug fixes. Changes by Jacob Barkdull 2017-05-12 -------------------------------------------------------------------------------- * hashover/scripts/javascript-mode.php - Major code refactoring. - `HashOver` object converted to constructor function. - `HashOver` constructor `init ()` method split into multiple methods. - High likelihood of new expected bugs, please report. * hashover/scripts/phpmode.php - Fixed: Thread hyperlink ID no longer uses parent comment's permalink. * Fixed: When HashOver is the first script tag (index 0) the `$executingScript` property was being set as `false`, instead of zero as intended. * Fixed: "Edit" hyperlink being displayed to anonymous users. * Fixed: All anonymous users being treated as the same user. * `HTMLOutput` class split into new `FormUI` and `CommentsUI` classes. * CSS class `hashover-sort-div` renamed to `hashover-sort-section`. * Default theme: Minor change in look of sort select element. * Other minor bug fixes. Changes by Jacob Barkdull 2017-05-06 -------------------------------------------------------------------------------- * Moved IP blocklist file to JSON format. * Moved ignored URL query list file to JSON format. * Marked JavaScript files as Free Software readable by GNU LibreJS. * Improvements to GNU LibreJS compatibility. Changes by Jacob Barkdull 2017-04-09 -------------------------------------------------------------------------------- * Added new language setting option - Setting the `$language` setting to 'auto' will now cause HashOver to detect and use the system's locale. This is now the default. * Added new public `$usesUserTimezone` setting - This setting controls whether the comment dates use the server's timezone or the user's local timezone. This is only possible in JavaScript mode, not PHP mode. * Added new public `$countIncludesDeleted` setting - This setting controls whether deleted comments are included in the standard comment count as well as in the count used in the "Show X Other Comments" hyperlink. * Return of the "Popular Comments" section! - This feature has been nonfunctional since the introduction of AJAX support. It is now functional again. * Fixed comment ownership issues - When posting a comment while logged out or editing an existing comment and changing the name, the AJAX returned comment was not displaying the "Edit" button or indicating proper ownership. This is now fixed, though may see more improvements. * Changed date permalink URLs - Permalink URLs now include a relative path along with the fragment in order to exclude the HashOver form specific URL queries. * Changed `$collapsesUI` setting behavior - Previously, the button used to display the HashOver UI was the same button used to display all comments when `$collapsesComments` is enabled. This caused a few problems, and so is no longer the case. The behavior is now such that clicking the button simply displays the HashOver UI as it would be display be displayed with the `$collapsesUI` setting disabled. - Fixed button not being displayed when there are no comments. - Other minor improvements. * Added message area explaining what HTML and Markdown is allowed in comments. * Fixed incorrect `comment-needed` locale being displayed for failed replies. * XML and JSON comment files now use OS specific line endings. * Removed form position from locales; we don't always know where the form is. * Default theme: Removed padding from reply form, the bubble is now the form. * Default theme: Added some simple style to the optional form labels. * Default theme: Improved styling of messages. * The "Accepted HTML" form title has been split into two separate locales. * Improved message timeouts, they are now separated by form type. * Added innerHTML as allowed HTMLTag attribute for creation by array. * Added "mobile" and "tablet" keywords to mobile device detection regex. * Changed the text for some of the optional form labels. * The long format of comment post dates and times is now localized. * The comment post date and time formats are now fully configurable. * Renamed CSS class `hashover-sort-count` back to `hashover-count-sort`. * Added accepted Markdown string to all locales. * Other small bug fixes. Changes by Jacob Barkdull 2017-04-04 -------------------------------------------------------------------------------- * Default theme: Now using border-box everywhere. * Fixed: Locale text left unescaped in login field titles. Changes by Jacob Barkdull 2017-03-25 -------------------------------------------------------------------------------- * Fixed uncaught syntax error in AJAX response. * Improved how HashOver accesses its loader script. Changes by Jacob Barkdull 2017-03-24 -------------------------------------------------------------------------------- * No longer escaping Unicode in "JSON to coding standard" function. * Fixed possible XSS vulnerabilities. * Now using PHP's hideous namespacing. * Avatar bug fix and improvements. Changes by Jacob Barkdull 2017-03-21 -------------------------------------------------------------------------------- * Fixed error messages failing to redirect user back to comment form. * Added Chinese locale by Mr. Q and Takeman. Changes by Jacob Barkdull 2017-03-19 -------------------------------------------------------------------------------- * `Locales` class renamed to `Locale`. * Renamed public `locale` method of `Locale` class to `get`. * Renamed public `$locale` property of `Locale` class to `text`. * Added new public `set` method to `Locale` class. Changes by Jacob Barkdull 2017-03-11 -------------------------------------------------------------------------------- * Locales now adds C slashes by default. * Fixed Strict Mode uncaught syntax error. * Now requiring instead of including setup PHP files. Changes by Jacob Barkdull 2017-02-25 -------------------------------------------------------------------------------- * hashover/scripts/setup.php - Added type checking to JSON settings loading process. - Added allowed domain name check in referer checking. - Now assuming false in referer check. * hashover/scripts/hashover.php - public function `getCommentCount` now returns a string value instead of setting the value of the public `$commentCount` property. * hashover/scripts/javascript-mode.php - When comments are collapsed the more link now uses the comment count. - Now using the alternative syntax for control structures in PHP code nested within the JavaScript code. This is easier to read, however, all nested PHP code in the JavaScript will be removed eventually. - Now using the like/dislike count returned by the `like.php` AJAX request, removing the need for the JavaScript code to handle increasing and decreasing the like/dislike count, and allowing the code to know if the request executed successfully. Additionally, an error message is now displayed to the user under rare circumstances. * hashover/scripts/settings.php - Added new public boolean `$collapsesUI` setting. Previously named `$initialHide`, this sets whether the entire comment form, thread, and end links are collapsed. The standard link used to display the collapsed comments will be displayed, clicking the link will load all of the comments. In the future, this behavior may change to display the collapsed comments instead of loading them all or -- once pagination is implemented -- to display the first page. - Added new public array `$allowedDomains` setting. This setting allows you list what domains are allowed to remotely load the HashOver script files. This is useful for loading HashOver files located on a web host with PHP from another host without PHP, or loading HashOver files located on a subdomain from the top level of a website. Please use this format '*.example.com'. - public `$setCookies` setting renamed to `$setsCookies`. * hashover/scripts/htmltag.php - Switched singleton and pretty print parameter order. - Allow more characters in tag and attribute names. - Added new method for creating attributes from a given array. - Added new method for appending text to attributes from a given array. - Allow creating attributes when object is instantiated. - Small performance improvements. * hashover/scripts/htmloutput.php - Reduced code base size by ~12.1% - Small performance improvements. * hashover/api/rss.php - Code tags are now converted to pre tags to ensure proper whitespace. * hashover/scripts/like.php - This file now returns JSON data containing a like and/or dislike count or an error message under rare circumstances. - Main code moved into a function. - Removed most instances of `exit`. - Added code comments * Added: , , , , and as allowed HTML tags. * Added code to check for PHP extensions HashOver depends on. * Added error messages for missing PHP extensions. * Added language specific reusable code for generating error messages. * Added "Status" locale string to all locales. * Removed CSS class `hashover-edit` in favor of `hashover-comment-edit`. * Renamed CSS class `hashover-count-sort` to `hashover-sort-count`. * Improved support for multiple line ending styles in comment files. * Improved JSON data format support. * Minor locale improvements. * Small code improvements. Changes by Jacob Barkdull 2016-01-05 -------------------------------------------------------------------------------- * hashover/scripts/javascript-mode.php - Updated Copyright year. - Small code changes. * Added: Danish translation by Jacob Moen. * Merged: Further improvements to German locale. * Changed "Be the first to comment!" to "No comments yet." in all locales. * Now hiding unused comment text of "No comments yet." notice. Changes by Jacob Barkdull 2016-01-02 -------------------------------------------------------------------------------- * Merged: New public `$setCookies` setting for enabling and disabling cookies. * Merged: Improvements to German locale. Changes by Jacob Barkdull 2016-12-03 -------------------------------------------------------------------------------- * Now using MCRYPT_DEV_URANDOM instead of MCRYPT_RAND. * Small CSS changes. Changes by Jacob Barkdull 2016-10-28 -------------------------------------------------------------------------------- * Added loading indicator to embedded images. * Fixed: Loading indicator not showing on "Show X Other Comments" link. * Fixed: User being logged in as Anonymous when posting a comment. * Fixed: Use Japanese ellipsis. * Small improvements to multibyte support. * Other small changes. Changes by Jacob Barkdull 2016-09-20 -------------------------------------------------------------------------------- * Allow admin to change comment moderation status when editing comments. * Allow admin to view and edit comments marked as deleted. * Allow admin to edit all applicable comment information, not just the body. * Differentiate between deleted, marked deleted, and unreadable comments. * Small improvements to support for multibyte locale strings. * Minor locale changes. * Minor bug fixes. Changes by Jacob Barkdull 2016-08-28 -------------------------------------------------------------------------------- * Added 3 new comment sorting methods - "By replies" sorts comments by the number of replies each comment has, in ascending order. Meaning the more replies a comment has, the more towards the top the comment appears. - "By discussion" sorts comments by the total number of replies they have including replies to replies. Meaning the more discussion has happened, the more towards the top the comment appears. - "By popularity" sorts threads by the sum of likes minus the sum of dislikes for each comment in the thread. Meaning the more likes a comment has, and the more likes its replies have, the more towards the top the entire comment thread appears. * Added protection against `target="_blank"` vulnerability - Hyperlinks that open in a new tab/window, especially those linking to external websites, now use a `rel="noopener noreferrer"` attribute to help prevent potential phishing attacks. * hashover/scripts/htmltag.php - HTMLTag children are now stored as object references instead of as strings, this allows tag attributes and inner HTML to be set and/or changed after the children have been appended to their parent tags. * hashover/scripts/javascript-mode.php - Fixed: `EOLTrim ()` function only trimming a single carriage return from beginning and ending of strings. * Added: Dutch locale. * Fixed: External image tooltips weren't localized. * Fixed: The HashOver homepage, RSS, and source code links weren't localized. * Fixed: Comments with Twitter @handle names sorted higher than normal names. * Fixed: Anonymous comments sorted by name were incorrectly ordered. * Minor code improvements. Changes by Jacob Barkdull 2016-05-17 -------------------------------------------------------------------------------- * Fixed: Non-Gravatar default avatars using PNG image on mobile devices. Changes by Jacob Barkdull 2016-05-14 -------------------------------------------------------------------------------- * Updated animated loading GIFs. * Added easy element creation function. * Removed sprintf function. Changes by Jacob Barkdull 2016-04-19 -------------------------------------------------------------------------------- * Added loading indicators to elements that trigger heavy AJAX requests. * Fixed: "0 Likes" remaining displayed after sorting comments by likes. Changes by Jacob Barkdull 2016-03-15 -------------------------------------------------------------------------------- * Small style changes for Like, Edit, and Reply hyperlinks - Pages with small fonts no longer cause button icons to be clipped. - Button hyperlink text now vertically centered. * Bug fix - Showing "undefined" in JavaScript mode and nothing in PHP mode instead of configured anonymous name in Reply hyperlink tooltip for comments without a name. * Improved Japanese locale. * Minor style changes. Changes by Jacob Barkdull 2016-01-25 -------------------------------------------------------------------------------- * `hashover.js` file moved - `hashover.js` moved into `hashover/` directory, this allows you to rename the HashOver root directory without having to modify `hashover.js` as well. This also allows you to have multiple versions of HashOver running on your server without conflicts, each version simply needs its own directory. * Improved HTTP root path to allow HashOver to run from a sub-directory. * Comments from logged in users now have `hashover-user-owned` class. * Fixed: One popular comment more than configured limit being shown. * Fixed: `fieldOptions` setting not being synced. * Removed public `$JSONSettingsFile` setting. * Improved popular comment sorting. * Small code improvements. Changes by Jacob Barkdull 2016-01-09 -------------------------------------------------------------------------------- * Fixed: Administrative comment deletion requiring name and password. * Fixed: Posting comment without a file value posts comment normally. Changes by Jacob Barkdull 2016-01-04 -------------------------------------------------------------------------------- * hashover/scripts/writecomments.php - Fixed: All comments from unlogged in users posting with default name. - Other small bug fixes. Changes by Jacob Barkdull 2016-01-03 -------------------------------------------------------------------------------- * Improved Markdown - Added support for Github-style code blocks. - Now ignoring nested patterns, allows multi-underscore "blank space." - Now allowing an underlined word to appear on a line by itself. * hashover/scripts/writecomments.php - Fixed: Unfinished tags not being escaped. * hashover/scripts/javascript-mode.php - Improved embedded images, now automatically closes upon error. - Fixed: Thread link not displayed on some replies after sorting. - Fixed: Tabs and spaces being trimmed from block HTML tags. * hashover/scripts/jsminifier.php - Now removing entire line when removing single-line code comments. - Smarter indentation and whitespace removal. Changes by Jacob Barkdull 2016-01-01 -------------------------------------------------------------------------------- * Improved Markdown, allow the erroneous use of grave accents as apostrophes. * Now only getting the current date once when parsing comments. * Small bug fixes. Changes by Jacob Barkdull 2015-12-31 -------------------------------------------------------------------------------- * Fixed: Posting date, status, other fields are updated when editing comments. * For better posting dates, time is no longer compared when parsing comments. * Minor improvements, CSS changes. Changes by Jacob Barkdull 2015-12-30 -------------------------------------------------------------------------------- * Fixed: Local IP address blocklist not being checked. * Fixed: Comment post date not taking time into account. * Improved Markdown, now parsing Markdown in RSS. * Added code comments to SpamCheck class. Changes by Jacob Barkdull 2015-12-28 -------------------------------------------------------------------------------- * Fixed: "In reply to ..." link loses onClick event handler after sorting. * Added code comments for Encryption class. Changes by Jacob Barkdull 2015-12-24 -------------------------------------------------------------------------------- * Added basic markdown support. Changes by Jacob Barkdull 2015-12-17 -------------------------------------------------------------------------------- * Added optional required field options - The login inputs can now be individually set as required, meaning a user will not be able to post or edit a comment, or login, without properly filling the specific fields. * Fixed: Login inputs with empty values aren't passed to the login method. * Fixed: More comments are automatically shown when URL jump points to form. * Fixed: Messages close after 10 seconds of the first one opened, not the last. * Improved how failed comment post handling works. * Removed individual settings for enabled login fields in favor of an array. * Added locale string for individual required input error messages. * Added a CSS class for styling required login inputs. * Changed locales to reflect optional and required fields. * Minor modifications to some icons. * Improved custom login code. * Renamed a couple variables. * Reordered some functions. * Improved default theme. Changes by Jacob Barkdull 2015-12-12 -------------------------------------------------------------------------------- * Locales - Replaced "_TITLE_", "_NUM_", and "_TIME_" with format specifiers. - Now using printf functions instead of str_replace for locale strings. - "Top of Thread" changed to "In reply to %s". - Merged improvements to Spanish locale. - Added Brazilian Portuguese locale. - Added Romanian locale. * hashover/scripts/writecomments.php - Login code decoupled into separate files. - `kickback ()` method no longer exits script. - Class methods now have return values. - Methods for posting and editing comments now return the comment as an array when AJAX requests are made. This allows the receiving code to encode the comment as JSON for AJAX requests. * Added new Login and DefaultLogin classes - New login class for handling custom login mechanisms. - New default login class for default login mechanism. * hashover/scripts/postcomments.php - New file for posting comments, both the traditional way and via AJAX. - This file also handles login. * hashover/scripts/javascript-mode.php - Added AJAX comment posting and editing. - Comment and e-mail form validation now applies to edit forms as well. - Edit forms now have their own message element for displaying errors. - Fixed: Onclick only attached to one embedded image per comment. - Fixed: Only one of multiple open message dialogs closing. - Reply parsing now has access to their parent comment. - "Top of Thread" changed to "In reply to ". - Improved XSS escaping and utilizing it more. - Very minor performance/memory improvements. - Removed duplicate code. * hashover/scripts/settings.php, hashover/scripts/hashover.php - Logic for comment reply nesting modified to allow a configurable number of indentation levels, after which the thread is flattened. - Added public $usesAJAX setting. - Added public $streamDepth setting. - Added public $JSONSettingsFile setting. - Added public $loginMethod setting. - Settings can now be set in a local JSON file. * hashover/scripts/setup.php - Merged in code to automatically adjust settings. * hashover/scripts/readcomments.php - Missing comment search now ~60% faster (~100 ms for 1000 comments). * hashover/scripts/database.php, hashover/scripts/parsesql.php - Improved syntax of SQL statements. - Tables are now created upon first posted comment. - Conformed method return values to expected behavior. - Removed redundant comment counting code. - Bug fixes. * Users re-logged in when editing comments - If the user editing a comment changes their name, they are now automatically logged in with that new name. This allows them to continue to edit or delete their comment after saving their initial edit, as otherwise they would still be logged in with the old name and not have editing or deletion rights. * Improved GET, POST, and COOKIE data filtering - PHP code implementing HashOver should no longer see it affecting the GET, POST, or COOKIE data in the global namespace in any way, as this data is now filtered as required instead of all at once. * Improved error handling - Classes now throw Exceptions, and try/catch blocks are used to display the error messages, `escapeOutput ()` has been removed and the new `displayErrors ()` in the new Misc class is used as a wrapper instead. * hashover/scripts/htmloutput.php - Comment thread link function modified to include parent comment name. * hashover/scripts/hashover.php - `initiate ()` split into two methods, an added `finalize ()` method. - Comments are no longer automatically parsed during initialization. - Fixed: Most popular comments being sorted in reverse order. * All images are now in a single directory - Subdirectories "/pngs" and "/svgs" have been merged with "/images", this simplifies the generation of paths to these image files, and makes the pathnames easier to remember and type out. * hashover/scripts/cookies.php - Fixed: Cookies set with port, causing issues on ports other than 80. * Removed closing PHP tags - All class files and files intended for inclusion consisting entirely of PHP code no longer have a closing PHP tag, the developers of PHP recommend doing so for such files and it helps prevent a "headers already sent" error on poorly configured web servers. * Coding style changes - Code following PHP opening tags is no longer indented one level, except where PHP code is being aligned with other text in the document, as with JavaScript code for example. - My standard for function return types in languages like C, and other Object Oriented languages like Java, is to place a newline after the class method keywords and return type, which are to be on their own line. My hope was for PHP to eventually gain strict function return type declarations, and for my standard to apply to PHP as well. While PHP has gained scalar type declarations with version 7, the way it's implemented is to specify the type, preceded by a colon, after the function parameter list. This is ugly, and doesn't work well with my standard style, so a different approach will be taken, for now, the newlines will simply be done away with. - Most associative array keys with underscores have been renamed to use dashes instead. This is for readability, ease of typing, and the separation in naming convention makes it easier to differentiate HashOver specific variables from PHP global variables, and allows for easier search and replace of just HashOver variables when necessary. * Added files: hashover/scripts/defaultlogin.php, hashover/scripts/login.php, hashover/scripts/misc.php, hashover/scripts/postcomments.php, hashover/scripts/postdata.php, hashover/scripts/locales/pt_br.php, hashover/scripts/locales/ro.php Changes by Jacob Barkdull 2015-10-25 -------------------------------------------------------------------------------- * hashover/scripts/settings.php, hashover/scripts/setup.php - Remove requirement of unique administrative login name. Changes by Jacob Barkdull 2015-10-13 -------------------------------------------------------------------------------- * hashover.js, hashover/scripts/htmloutput.php - URL-encode URL queries as well as URLs in URL queries. - URL-encode page title, improves handling of Unicode page titles. Changes by Jacob Barkdull 2015-08-23 -------------------------------------------------------------------------------- * hashover/scripts/setup.php - Fixed administrative login. Changes by Jacob Barkdull 2015-08-15 -------------------------------------------------------------------------------- * hashover/scripts/writecomments.php - Added 5 second delay to failed comment edit or deletion. This throttles login attempts by malicious users, making brute-force login attempts a less viable option for attackers. - Two CRLF end of lines are now used in e-mail notification messages. Changes by Jacob Barkdull 2015-08-11 -------------------------------------------------------------------------------- * hashover/api/count-link.php, hashover/scripts/hashover-javascript.php - Now taking port numbers into account for referer checking. - Removed unnecessary preg_match () function call. Changes by Jacob Barkdull 2015-08-06 -------------------------------------------------------------------------------- * hashover/scripts/htmloutput.php - Login button no longer shown if names and/or passwords are disabled. * hashover/scripts/writecomments.php - Now using proper CRLF (\r\n) for e-mail message body. - Check for parent comment e-mail and encryption keys before using them. - When editing a comment, the new comment data array is now merged with the old comment data array, instead of overriding each key. Changes by Jacob Barkdull 2015-08-02 -------------------------------------------------------------------------------- * Conform to coding standard - All class files now exit with a notice when executed directly. - Now using strict comparisons instead of shorthand ifs. This prevents unnecessary type juggling. - Some variables have been renamed. * hashover/scripts/javascript-mode.php - Fixed: Reply and Edit form actions set to wrong (old) filename. Form action values are now set to `$_SERVER['PHP_SELF']`, which once this file is included is `hashover-javascript.php`. * hashover/scripts/database.php, hashover/scripts/parsesql.php - SQL now stores and uses e-mail MD5 hash for Gravatar icons. - Rearranged statements for easier reading. * New settings - Set whether users can login and logout with: public bool $allowsLogin = true; - Set whether a user's first comment automatically logs them in with: public bool $usesAutoLogin = true; * hashover/scripts/htmloutput.php - Notification e-mail subscription checkbox no longer shown if e-mail address field is disabled. - Login button no longer shown when user logins are disabled, however, the logout button is still shown for users who are still logged in. * hashover/api/count-link.php, hashover/api/json.php, hashover/api/latest.php, hashover/scripts/hashover-javascript.php - Now using application/javascript instead of text/javascript, this helps ensure more servers will correctly compress HashOver's JavaScript and JSON output when compression is enabled on the server. Changes by Jacob Barkdull 2015-07-29 -------------------------------------------------------------------------------- * hashover/scripts/javascript-mode.php - The JSON object for comment data is now iterated over by array key, instead of enumerable properties. When the comment data consisted of nested objects, enumerable property iteration was necessary, however, the nested objects were replaced with arrays a while ago. Although bad practice, developers sometimes add custom Prototype methods to all Objects, Arrays, and/or Strings in the document. Therefore iterating over the comment data by enumerable properties isn't efficient and requires more work be done the more custom methods are added to their Prototype. This change also means other JavaScript on the same page as HashOver will not conflict with HashOver if it happens to modify Prototypes. - Changed some variable names. - $() function breaks coding standard, renamed. - Fixed: Early versions of Firefox, Chrome, and Internet Explorer don't support Element.classList, fallback functionality has been added. * hashover/scripts/htmloutput.php - Fixed "JavaScript" hyperlink pointing to the wrong (old) filename. - Minify based on operating system's end of line, not just Unix-style. * hashover/scripts/templater.php - Convert template output to operating system's end of line style. * hashover/scripts/parsexml.php - Fixed: Carriage returns not being trimmed from body. Changes by Jacob Barkdull 2015-07-10 -------------------------------------------------------------------------------- * hashover.js, hashover/scripts/javascript-mode.php, hashover/scripts/javascript-output.php - javascript-mode.php renamed to hashover-javascript.php. - javascript-output.php renamed to javascript-mode.php. - `head` variable now only defined when needed. - `body` variable removed. - Conform to coding standard. - Minor bug fixes. * hashover/api/count-link.php - Use strict comparison. Changes by Jacob Barkdull 2015-06-25 -------------------------------------------------------------------------------- * hashover/scripts/setup.php - Strip "Magic Quotes" from POST, GET, and COOKIE data if enabled. * hashover/scripts/statistics.php - Conform to coding standard. Changes by Jacob Barkdull 2015-06-22 -------------------------------------------------------------------------------- * hashover/scripts/writecomments.php - Password cookie now stored as Blowfish hash (requires a re-login). - E-mail cookie now stored as Mcrypt string (requires a re-login). - Valid e-mail and HTTP prefix checks now also performed for cookies. - Login no longer performs spam check. * hashover/scripts/encryption.php - `decrypt ()` now fails if any encryption hash offset is undefined. * hashover/scripts/htmloutput.php - Password input placeholder and title changes to "Confirm Password" when editing a comment, as this is what that field is actually for. It is normally automatically filled by the browser. * hashover/scripts/cookies.php - `clear ()` function now uses `expireCookie ($cookie)` function. - `expireCookie ($cookie)` now uses `set ($name [, $value, $date])`. Changes by Jacob Barkdull 2015-06-21 -------------------------------------------------------------------------------- * hashover/themes/default/style.css - Fixed: Mobile CSS SVG background-image being applied to actual login inputs element, instead of :before selector. Changes by Jacob Barkdull 2015-06-20 -------------------------------------------------------------------------------- * hashover/scripts/javascript-output.php - Minor performance and memory optimizations. * hashover/scripts/jsminifier.php - Smarter newline removal. Changes by Jacob Barkdull 2015-06-19 -------------------------------------------------------------------------------- * Most code has moved to the TildeHash Coding Standard - Indention is done with tabs, only one per code block. - Curly braces are to be used wherever possible, including switches. - Class property and method names use camelCase. - Function definition names in the global namespace use snake_case. - All variable names, in any scope or namespace, use snake_case. - Variable and function naming convention demands only real words. - Strict comparisons are to be used wherever possible. - Class and function curly braces go on their own line. - There should be a space before any function parentheses. - There should be a space before and after any equals. - There should be a space after function parameters and array items. - There should be a newline after class method keywords. - There should be a blank line before a return following multiple lines. - There should be a blank line before a break following multiple lines. - This coding standard is not final. Complete and detailed documentation and rationale is forthcoming. Discussion and suggestions are welcomed. * Major rewrite of JavaScript mode - HashOver no longer adds any variables or functions to the global namespace, this means HashOver is now isolated. HashOver won't interfere with other JavaScript on the same page, and users and malicious JavaScript won't be able to write to HashOver's variables or execute its functions that aren't meant to be remotely executed. - Image tags are no longer used, instead the "background-image" CSS style attribute is used. This results in fewer HTTP requests, and avoids many performance issues related to image tags that don't apply to background image style, such as width and height calculations and onload event handling. This also avoids performance issues associated with ad-blockers, such as "Adblock Plus". - Almost all inline HTML has been removed from the JavaScript code, instead a new class has been added that generates the HTML for use in both the JavaScript mode and in PHP mode. This means that inline HTML is still present in the generated JavaScript code users receive, but it's not present in the actual JavaScript source code. The code doesn't make use of JavaScript's built-in functions such as "document.createElement ()" as these functions executed hundreds or thousands of times are far too slow. - Inline JavaScript event attributes (onClick="", etc) have been removed as well. Instead they are added after the comments are appended to the page's DOM. This will allow for a "hybrid" mode in the future, where HashOver will execute in PHP mode, but JavaScript will also be executed to handle various interactive behaviors. - When enabled, JavaScript code can now be returned to the user in a minified form, however, this code is not obfuscated. The code also includes a smaller Copyright notice and a link to the non-minified JavaScript code, as such is a requirement of the AGPL. - HashOver's JavaScript execution time is now displayed in the console of modern web browsers, when present. - JavaScript now uses Strict Mode. - The JSON data for comments is now passed to the JavaScript after its PHP code has executed, and -- when enabled -- after it's been minified. This makes minification faster, as the JSON data is returned without pretty print when JavaScript minification is enabled, and therefore it doesn't need to be minified anyway. - Element.classList.add () is used instead of appending classes to Element.className. This allows for easy adding and removing of classes by name, and is slightly faster. - Improved how various warning messages are handled. Namely, error messages now have a different class than normal messages. - Reply, Edit, and Like links are no longer included in the JSON comment data. This greatly reduces the size of the JavaScript. - Reply and Edit links now change to "Cancel" links after opening their respective forms when clicked. When clicked again, they remove their respective form and revert back to their initial state. - Specific fields can no longer be disabled via JavaScript, instead they are enabled or disabled in the Settings class. * Major rewrite of PHP mode - PHP mode is now a port of JavaScript mode. It should follow it closely, excluding features that aren't possible with plain HTML, such as interactive forms and sorting, likes, etc. - PHP mode is implemented via object now. And should be instantiated before any output is sent, as HashOver sets various cookies. You implement it like so: ...
displayComments (); ?>
* Changes to how comments are stored - Comments no longer contain plain text "\n" nor "
" tags. Comments are stored multi-lined and parsed upon reading. When displayed, comments are first parsed by paragraph, with each paragraph getting wrapped in a

tag, and then by line, with each line ending with a
tag. This allows different paragraph spacing via CSS, and reduces the size of the JavaScript output. * Changes to where HTML is located - Most HTML has been moved to the new class HTMLOutput. This class holds the HTML that is used in both JavaScript mode and PHP mode. * User login information - User login information is no longer placed in the document as hidden inputs, instead, when posting a comment the cookies set on the user's browser will be used as their login credentials. * Password inputs no longer have cookie value - This means that user passwords aren't placed in the value attribute of the "Password" field of the various forms. This should, technically provide some extra security from malicious JavaScript that happens to be on the same page as HashOver. Users shouldn't notice any difference, since web browsers automatically fill password type inputs anyway. * Changes to theme HTML templates - HTML layout templates are now parsed by the new Templater class. The structure of layout templates should be much easier to understand, as the layout templates no longer use JavaScript variable concatenation. Instead, a curly brace format is used. For example: {hashover:name} displays the user's name. {comment:sort_date} displays the sort date from the JSON data. {placeholder:test} displays a "placeholder" span tag. * New settings - Set whether users can enter their own name with: public bool $allowsNames = true; - Set whether users can protect their comments with a password with: public bool $allowsPasswords = true; - Set whether users can enter an e-mail address with: public bool $allowsEmails = true; - Set whether users can enter a website with: public bool $allowsWebsites = true; - Set whether comments must be approved before they appear with: public bool $usesModeration = false; - Position for primary form; options: 'top' or 'bottom' public string $formPosition = 'top'; - Set whether to display labels above inputs with: public bool $usesLabels = false; - Set whether forms have "Cancel" buttons with: public bool $usesCancelButtons = false; - Set whether JavaScript output should be minified with: public bool $minifiesJavaScript = false; - Set how much to minify JavaScript code, options: 1, 2, 3, 4 public int $minifyLevel = 4; - Set whether user deleted files are unlinked from the filesystem with: public bool $userDeletionsUnlink = false; * Removed unused public string $indention setting Indention has been done using CSS for a while now. * Added files: hashover/images/pngs/pending-icon.png, hashover/images/svgs/pending-icon.svg, hashover/scripts/locales/tr.php, hashover/scripts/hashover.php, hashover/scripts/htmloutput.php, hashover/scripts/htmltag.php, hashover/scripts/javascript-output.php, hashover/scripts/jsminifier.php, hashover/scripts/templater.php, * Renamed files: hashover/images/pngs/delicon.png to deleted-icon.png hashover/images/svgs/delicon.svg to deleted-icon.svg hashover/api/count_link.php to count-link.php, hashover/scripts/php-mode.php to phpmode.php, hashover/scripts/displaycomments.php to commentparser.php * Deleted files: hashover/hashover.php * Added Turkish locale by Tunay Eren Uyar (@T_E_U_Tunay) * RSS now uses DOMDocument. * Execution time is one-third lower with a large number of comments (1000+). * Execution time is now in milliseconds, or in seconds if >= 1 second. * Memory peak usage now properly stated as Mib. * Fixed embedded images losing their events after sorting comments. * Removed unused public string $parses_huge setting. * Many variables and functions have been renamed. * Improved SQL, table names are no longer snake_case'd thread directory names. * "hashover_form" renamed to "hashover-form" in both HTML and CSS. * Avatars no longer check Gravatar response codes. * Minor improvements to some images. * Other minor bug fixes. Changes by Jacob Barkdull 2015-04-03 -------------------------------------------------------------------------------- * hashover/scripts/javascript-mode.php, hashover/scripts/php-mode.php - Inputs in the primary form are no longer separated into two divs on mobile devices. Going forward, this should be done with CSS. - Image format is no longer added as a class to the "hashover" div to aid in styling on mobile devices. Instead "hashover-mobile" is, and the default class is "hashover-desktop". * hashover/scripts/php-mode.php - Removed tag. * hashover/themes/default/style.css - "svg" class references changed to "hashover-mobile". Changes by Jacob Barkdull 2015-04-01 -------------------------------------------------------------------------------- * hashover/scripts/javascript-mode.php - Improved how various warning messages are handled. - Logout button now has `hashover-logout` class. * hashover/scripts/php-mode.php - Logout button now has `hashover-logout` class. Changes by Jacob Barkdull 2015-03-31 -------------------------------------------------------------------------------- * hashover.js - Each script tag now has an ID of "hashover-script-