原理
通过在处理评论时移除html标签的方式进行处理,可以防止注入,代码关键的地方都有注释,可以参考。
代码示例
<?php
namespace core_next;
class comment extends \WP_Widget
{
function __construct()
{
$img_html = Theme::getWidgetIcon();
parent::__construct(
'core_next_comments_widget',
$img_html . 'CoreNext最新评论',
array(
'description' => '主题自带最新评论小工具'
)
);
add_action('widget_update_callback', [$this, 'updateWidgetCache'], 10, 2);
}
function form($instance)
{
$num = absint($instance['number'] ?? 5);
$title = $instance['title'] ?? '最新评论';
$show_admin_comment = !empty($instance['show_admin_comment']) ? 'checked' : '';
$on_top = !empty($instance['on_top']) ? 'checked' : '';
?>
<div class="widget-item">
<div>工具标题</div>
<input class="widefat" name="<?php echo esc_attr($this->get_field_name('title')); ?>"
type="text" value="<?php echo esc_attr($title); ?>"/>
</div>
<div class="widget-item">
<div>显示评论数量</div>
<input class="widefat" name="<?php echo esc_attr($this->get_field_name('number')); ?>"
type="text" value="<?php echo esc_attr($num); ?>"/>
</div>
<div class="widget-item" style="display: flex;gap: 10px">
<div>显示站长评论 <input class="widefat" type="checkbox"
name="<?php echo $this->get_field_name('show_admin_comment'); ?>"
<?php echo $show_admin_comment; ?> ></div>
</div>
<div class="widget-item">
<span>跟随页面展示 <input class="widefat" type="checkbox"
name="<?php echo $this->get_field_name('on_top'); ?>"
<?php echo $on_top; ?>></span>
</div>
<?php
}
public function widget_start($args, $instance)
{
$on_top = !empty($instance['on_top']) ? 'checked' : '';
$html = $args['before_widget'];
if ($on_top !== '') {
$html = str_replace('<div', Theme::getWidgetStickyStyle(), $html);
}
echo $html;
$title = apply_filters('widget_title', $instance['title']);
echo $args['before_title'] . $title . $args['after_title'];
}
public function widget_end($args)
{
echo $args['after_widget'];
}
static function updateCache($id, $instance)
{
$num = absint($instance['number'] ?? 5);
$comment_args = array(
'number' => $num,
'status' => 'approve'
);
$comments = Theme::Cache($id . '_query', function () use ($comment_args) {
return get_comments($comment_args);
}, true);
Theme::Cache($id . '_list', function () use ($comments) {
foreach ($comments as $comment) {
$data = WordPress::getCommentMeta($comment, false);
$data['date'] = date('n月j日', strtotime($comment->comment_date));
$data['post_title'] = get_the_title($comment->comment_post_ID);
$data['url'] = get_permalink($comment->comment_post_ID);
$data['content'] = strip_tags($data['content']); // 移除标签
$comment_list[] = $data;
}
return $comment_list;
}, true);
}
function widget($args, $instance)
{
global $core_next_set;
$num = absint($instance['number'] ?? 5);
$show_admin_comment = !empty($instance['show_admin_comment']) ? 'checked' : '';
$this->widget_start($args, $instance);
$comment_args = array(
'number' => $num,
'status' => 'approve'
);
if ($show_admin_comment === '') {
$comment_args['author__not_in'] = [1]; // 站长特权可以渲染(bushi)
}
$comment_list = [];
if ($core_next_set['widget_comment_cache']) {
$comments = Theme::Cache($this->id . '_query', function () use ($comment_args) {
return get_comments($comment_args);
});
$comment_list = Theme::Cache($this->id . '_list', function () use ($comments) {
foreach ($comments as $comment) {
$data = WordPress::getCommentMeta($comment, false);
$data['date'] = date('n月j日', strtotime($comment->comment_date));
$data['post_title'] = get_the_title($comment->comment_post_ID);
$data['url'] = get_permalink($comment->comment_post_ID);
$data['content'] = strip_tags($comment->comment_content); // 移除标签
$comment_list[] = $data;
}
return $comment_list;
});
} else {
$comments = get_comments($comment_args);
foreach ($comments as $comment) {
$data = WordPress::getCommentMeta($comment, false);
$data['date'] = date('n月j日', strtotime($comment->comment_date));
$data['post_title'] = get_the_title($comment->comment_post_ID);
$data['url'] = get_permalink($comment->comment_post_ID);
$data['content'] = strip_tags($comment->comment_content); // 移除标签
$comment_list[] = $data;
}
}
echo '<div class="core-next-widget-comment">';
if (is_array($comment_list)) {
if (count($comment_list) > 0) {
Template::echoListTemplateHtml('widget-comment', $comment_list, []);
}
}
echo '</div>';
$this->widget_end($args);
}
function updateWidgetCache($instance, $new_instance)
{
global $core_next_set;
if ($core_next_set['widget_comment_cache']) {
$show_admin_comment = isset($instance['show_admin_comment']) ?? 1;
$id = $this->id;
$num = absint($new_instance['number'] ?? 5);
$comment_args = array(
'number' => $num,
'status' => 'approve'
);
if ($show_admin_comment != 1) {
$comment_args['author__not_in'] = [1];
}
$comments = Theme::Cache($id . '_query', function () use ($comment_args) {
return get_comments($comment_args);
}, true);
Theme::Cache($id . '_list', function () use ($comments) {
foreach ($comments as $comment) {
$data = WordPress::getCommentMeta($comment, false);
$data['date'] = date('n月j日', strtotime($comment->comment_date));
$data['post_title'] = get_the_title($comment->comment_post_ID);
$data['url'] = get_permalink($comment->comment_post_ID);
$data['content'] = strip_tags($comment->comment_content); // 移除标签
$comment_list[] = $data;
}
return $comment_list;
}, true);
}
return $new_instance;
}
}
