Provide e-mail and commenter homepage tokens for comments

This to be added after #307520: Date formatting function?

Can this be made part of the official releases?

The raw vs. sanitized split is to provide two versions of the same data just one that is safe from XSS and one that is not. This code seems to provide different tokens in those places.

$comment->mail ? ('<a href="mailto: '. $comment->mail .'">'. $comment->name .'</a>') : NULL;

This code is not E_ALL compliant (isset($comment->mail)) would help. It's also not safe from XSS. Also, on the comment form it says "The content of this field is kept private and will not be shown publicly." and providing a token for it seems like that privacy could be lost. Either the token description should highlight this point or the token simply should not be provided.

@lomz - please don't set something RTBC unless you have done a review on the code and find it to be flawless.

Also, on the comment form it says "The content of this field is kept private and will not be shown publicly." and providing a token for it seems like that privacy could be lost.

I'm not sure this argument is very valid: There's an [author-mail] token that reveals a node author's email.

The Token module has (realtively new) support for the node author's mail field:

$tokens['node']['author-mail']     = t("Node author's e-mail.");
$tokens['node']['author-mail-raw'] = t("Node author's e-mail. WARNING - raw user input.");

Shouldn't the comment's mail tokens mirror, in their look and function, that of the node's?

1. It should be "mail", not "email".
2. [comment-email-raw] doesn't work for comments written by registered users, does it? This is critical.
3. There's [comment-email-raw], but no [comment-email]. (I wonder, why's there [user-mail] but no [user-mail-raw]?)
4. For comments of registered users, [comment-email-link] doesn't do what it name suggests it does. Mayeb it should be renamed to [comment-contact-link]; OTOH, there's already [comment-homepage-link].

@moofie #7 - I agree with your logic. Tokens are up to the admin to use responsibly.

@moofie #8 -

1. Drupal uses "e-mail" for user facing text (see http://drupal.org/user/register)

Otherwise I love your review. Thanks!

So here's a patch that handles comment emails comparably to the way node emails are handled and it adds comment->homepage. I left out things like the formatted link to the contact page because we don't provide anything like that for nodes so it seems odd to do so for comments. Plus most of the tokens are not formatted html. Plus with the raw data you can add your own formatting if you want.

Anyway, I have an immediate need for a way to contact anonymous comment authors via their email address, so I kept the patch as simple as possible to keep things from getting bogged down.

If we provide a raw token, we should also provide a "non-raw" one. In this case I think that the $comment->homepage can just be sent through check_url and get rid of the [comment-homepage-raw] so it is just [comment-homepage]. @karens - could you try that out and see if it works for you?

Otherwise, looks great to me.

New patch. I just have homepage, not homepage-raw, and I also changed the name to comment-author-homepage for consistency with the other comment author token names.

Oops, did check_plain() instead of check_url(). New patch.

Awesome, thanks KarenS!

Committed to 6.x http://drupal.org/cvs?commit=214650
And 5.x: http://drupal.org/cvs?commit=214652