Merge remote-tracking branch 'upstream/master'

modules/comment/comment.controller.php

@@ -517,7 +517,7 @@ class CommentController extends Comment
 	 */
 	function insertComment($obj, $manual_inserted = FALSE, $update_document = TRUE)
 	{
-		if(!$manual_inserted && !checkCSRF())
+		if(!$manual_inserted && !Rhymix\Framework\Security::checkCSRF())
 		{
 			return new BaseObject(-1, 'msg_security_violation');
 		}
@@ -677,23 +677,26 @@ class CommentController extends Comment
 		}
 
 		// if use editor of nohtml, Remove HTML tags from the contents.
-		if(!$manual_inserted || isset($obj->allow_html) || isset($obj->use_html))
+		if (!$manual_inserted || isset($obj->allow_html) || isset($obj->use_html))
 		{
 			$obj->content = EditorModel::converter($obj, 'comment');
 		}
 
 		// remove iframe and script if not a top administrator on the session.
-		if($logged_info->is_admin != 'Y')
+		if ($logged_info->is_admin !== 'Y')
 		{
-			$obj->content = removeHackTag($obj->content);
+			$obj->content = Rhymix\Framework\Filters\HTMLFilter::clean((string)$obj->content);
+		}
+		if (config('db.master.charset') !== 'utf8mb4')
+		{
+			$obj->content = utf8_mbencode($obj->content);
 		}
-		$obj->content = utf8_mbencode($obj->content);
 
+		// Set other flags.
 		if (isset($obj->notify_message) && $obj->notify_message !== 'Y')
 		{
 			$obj->notify_message = 'N';
 		}
-
 		if (isset($obj->is_secret) && $obj->is_secret !== 'Y')
 		{
 			$obj->is_secret = 'N';
@@ -951,7 +954,7 @@ class CommentController extends Comment
 	 */
 	function updateComment($obj, $skip_grant_check = FALSE, $manual_updated = FALSE)
 	{
-		if(!$manual_updated && !checkCSRF())
+		if(!$manual_updated && !Rhymix\Framework\Security::checkCSRF())
 		{
 			return new BaseObject(-1, 'msg_security_violation');
 		}
@@ -1042,11 +1045,14 @@ class CommentController extends Comment
 
 		// remove iframe and script if not a top administrator on the session
 		$logged_info = Context::get('logged_info');
-		if($logged_info->is_admin != 'Y')
+		if ($logged_info->is_admin !== 'Y')
 		{
-			$obj->content = removeHackTag($obj->content);
+			$obj->content = Rhymix\Framework\Filters\HTMLFilter::clean((string)$obj->content);
+		}
+		if (config('db.master.charset') !== 'utf8mb4')
+		{
+			$obj->content = utf8_mbencode($obj->content);
 		}
-		$obj->content = utf8_mbencode($obj->content);
 
 		// begin transaction
 		$oDB = DB::getInstance();