Support incoming webmentions #841
Conversation
Adds a codepath that would store them as trackback or pingback, depending on the metadata available on the sending page.
Separate the MF2 parsing into its own function. Since the origin url is fetched only there, we can easier make that optional later.
Only covers one case: A webmention with an in-reply-to that contains the author's h-card.
The spamblock plugin will check for it later
There was a problem hiding this comment.
I think we need to be careful here because our "bundled-libs" (sadly) is within the docroot. Bundling files in "bin" that could be executed is quite dangerous; normal class files cant be executed, but we need to remove those binaries.
Probably configure our composer.json bindir to something like /tmp outside the project?
Also, there are bin files in extensions like mastermind. We should not bundle those...?
|
Hi @garvinhicking, what exactly is the dangerous scenario here? If I open |
|
I thought I saw .php files in the commot too thst contained non-class code. Need to verify then again. |
|
.php files would be blockable by the .htaccess :) At least for direct browser access. But I don't understand yet how this is different for these bundled libs than with all the others? |
|
@garvinhicking Researching this a bit more, I found no reliable solution for avoiding these files via composer (completely possible I missed something). Instead I added a new Manual htaccess for now, since I assume the checks of the mechanism for the regular htaccess generation is not needed here. |
|
I'm unsure if there are php files in bundled-libs that could be callable via http. I hope not, and am 99% certain... so maybe just try it and see if there come complaints in some plugin?! |
|
I grepped through additional_plugins/ for 'bundled-libs' and saw no code that not very much looked like a require, or the path creation for one. I think we are good on that side :) |
Also adds the trackack link-rel, that was so far only in 2k11
This PR adds webmention support. It enables a webmention endpoint in our comment.php, links to it in 2k11's index.tpl and then stores the webmention as either a pingback or a trackback in the DB.
Webmentions are a kind of linkback, but there are different kind of webmentions in the the spec. The two that seem relevant to me are: First simple mentions, which I think match Pingbacks, where the blog owner is simply informed that someone elsewhere linked to a blog article. The second type are replies, which have additional markup and are like a comment just made on a different site, those I think match trackbacks with their excerpts quite well.
Note that this code does not follow https://indieweb.org/comments#How_to_display completely. Webmentions rely on a bunch of microformat2 markup on the source site, that s9y then has to fetch and interpret. There are some testcases at https://github.com/aaronpk/webmention.io/tree/main/test/data/source.example.org, the only scenario where I enabled trackback mode so far is https://github.com/aaronpk/webmention.io/blob/main/test/data/source.example.org/in-reply-to.html, where the author data is presented as a complete h-card block. All other scenarios should still result in a pingback though.
Additional remarks:
$targetto be a link to the article for the which the webmention endpoint was triggered. On the other hand, it seems to me like the trackback implementation also does not do that - but otoh again, trackbacks do not necessarily have to fetch the origin, the spamblock plugin does that and the check can be disabled.DOMDocumentand xpaths to implement webmentions. That could be also an alternative for us (without copying the code though, the license does not match).What do you think? I'm not a fan of how webmentions could have just been a backwards compatible trackback enhancement but aren't, but with this match to pingbacks and trackbacks for me it seemed reasonable to provide support. If it turns out it is used a lot we could look into sending webmentions ourselves later, if not we can let it rest and there should be no harm done.