esc_html( $comment_reply_title_tag )
<form id="commentform" class="comment-form">
title="<?php esc_attr_e( 'Comment Form', 'jetpack' ); ?>"
src="<?php echo esc_url( $url ); ?>"
<?php if ( $is_amp ) : ?>
height="<?php echo esc_attr( $height ); ?>"
name="jetpack_remote_comment"
style="width:100%; height: <?php echo esc_attr( $height ); ?>px; border:0;"
class="jetpack_remote_comment"
id="jetpack_remote_comment"
sandbox="allow-same-origin allow-top-navigation allow-scripts allow-forms allow-popups"
<?php if ( $is_amp ) : ?>
<button overflow><?php esc_html_e( 'Show more', 'jetpack' ); ?></button>
<?php if ( ! $is_amp ) : ?>
document.addEventListener('DOMContentLoaded', function () {
var commentForms = document.getElementsByClassName('jetpack_remote_comment');
for (var i = 0; i < commentForms.length; i++) {
commentForms[i].allowTransparency = <?php echo esc_html( $transparent ); ?>;
commentForms[i].scrolling = 'no';
<?php // Below is required for comment reply JS to work. ?>
<input type="hidden" name="comment_parent" id="comment_parent" value="" />
* Add some JS to wp_footer to watch for hierarchical reply parent change
* If AMP is enabled, we don't make any changes.
public function watch_comment_parent() {
if ( class_exists( Jetpack_AMP_Support::class ) && Jetpack_AMP_Support::is_amp_request() ) {
// @todo Implement AMP support.
<script type="text/javascript">
const iframe = document.getElementById( 'jetpack_remote_comment' );
<?php if ( get_option( 'thread_comments' ) && get_option( 'thread_comments_depth' ) ) : ?>
const watchReply = function() {
// Check addComment._Jetpack_moveForm to make sure we don't monkey-patch twice.
if ( 'undefined' !== typeof addComment && ! addComment._Jetpack_moveForm ) {
// Cache the Core function.
addComment._Jetpack_moveForm = addComment.moveForm;
const commentParent = document.getElementById( 'comment_parent' );
const cancel = document.getElementById( 'cancel-comment-reply-link' );
function tellFrameNewParent ( commentParentValue ) {
const url = new URL( iframe.src );
if ( commentParentValue ) {
url.searchParams.set( 'replytocom', commentParentValue )
url.searchParams.delete( 'replytocom' );
if( iframe.src !== url.href ) {
cancel.addEventListener( 'click', function () {
tellFrameNewParent( false );
addComment.moveForm = function ( _, parentId ) {
tellFrameNewParent( parentId );
return addComment._Jetpack_moveForm.apply( null, arguments );
document.addEventListener( 'DOMContentLoaded', watchReply );
// In WP 6.4+, the script is loaded asynchronously, so we need to wait for it to load before we monkey-patch the functions it introduces.
document.querySelector('#comment-reply-js')?.addEventListener( 'load', watchReply );
const commentIframes = document.getElementsByClassName('jetpack_remote_comment');
window.addEventListener('message', function(event) {
if (event.origin !== 'https://jetpack.wordpress.com') {
if (!event?.data?.iframeUniqueId && !event?.data?.height) {
const eventDataUniqueId = event.data.iframeUniqueId;
// Change height for the matching comment iframe
for (let i = 0; i < commentIframes.length; i++) {
const iframe = commentIframes[i];
const url = new URL(iframe.src);
const iframeUniqueIdParam = url.searchParams.get('iframe_unique_id');
if (iframeUniqueIdParam == event.data.iframeUniqueId) {
iframe.style.height = event.data.height + 'px';
* Verify the hash included in remote comments.
* If the Jetpack token is missing we return nothing,
* and if the token is unknown or invalid, or comments not allowed, an error is returned.
public function pre_comment_on_post() {
$post_array = stripslashes_deep( $_POST );
// Bail if missing the Jetpack token.
if ( ! isset( $post_array['sig'] ) || ! isset( $post_array['token_key'] ) || ! is_string( $post_array['sig'] ) ) {
unset( $_POST['hc_post_as'] );
if ( empty( $post_array['jetpack_comments_nonce'] ) || ! wp_verify_nonce( $post_array['jetpack_comments_nonce'], "jetpack_comments_nonce-{$post_array['comment_post_ID']}" ) ) {
if ( ! isset( $_GET['only_once'] ) ) {
self::retry_submit_comment_form_locally();
wp_die( esc_html__( 'Nonce verification failed.', 'jetpack' ), 400 );
if ( is_string( $post_array['hc_avatar'] ) && str_contains( $post_array['hc_avatar'], '.gravatar.com' ) ) {
$post_array['hc_avatar'] = htmlentities( $post_array['hc_avatar'], ENT_COMPAT );
$blog_token = ( new Tokens() )->get_access_token( false, $post_array['token_key'] );
if ( ! $blog_token || is_wp_error( $blog_token ) ) {
wp_die( esc_html__( 'Unknown security token.', 'jetpack' ), 400 );
$check = self::sign_remote_comment_parameters( $post_array, $blog_token->secret );
if ( is_wp_error( $check ) ) {
wp_die( esc_html( $check ) );
// Bail if token is expired or not valid.
if ( ! hash_equals( $check, $post_array['sig'] ) ) {
wp_die( esc_html__( 'Invalid security token.', 'jetpack' ), 400 );
/** This filter is documented in modules/comments/comments.php */
if ( ! apply_filters( 'jetpack_comment_form_enabled_for_' . get_post_type( $post_array['comment_post_ID'] ), true ) ) {
// In case the comment POST is legit, but the comments are
// now disabled, we don't allow the comment.
wp_die( esc_html__( 'Comments are not allowed.', 'jetpack' ), 403 );
* Handle Jetpack Comments POST requests: process the comment form, then client-side POST the results to the self-hosted blog
* This function exists because when we submit the form via the jetpack.wordpress.com iframe
* in Chrome the request comes in to Jetpack but for some reason the request doesn't have access to cookies yet.
* By submitting the form again locally with the same data the process works as expected.
public function retry_submit_comment_form_locally() {
// We are not doing any validation here since all the validation will be done again by pre_comment_on_post().
// phpcs:ignore WordPress.Security.NonceVerification.Missing
$comment_data = stripslashes_deep( $_POST );
<link rel="preload" as="image" href="https://jetpack.wordpress.com/wp-admin/images/spinner.gif"> <!-- Preload the spinner image -->
<title><?php echo esc_html__( 'Submitting Comment', 'jetpack' ); ?></title>
<img src="https://jetpack.wordpress.com/wp-admin/images/spinner.gif" >
<form id="jetpack-remote-comment-post-form" action="<?php echo esc_url( get_site_url() ); ?>/wp-comments-post.php?for=jetpack&only_once=true" method="POST">
<?php foreach ( $comment_data as $key => $val ) : ?>
<input type="hidden" name="<?php echo esc_attr( $key ); ?>" value="<?php echo esc_attr( $val ); ?>" />
<script type="text/javascript">
document.getElementById("jetpack-remote-comment-post-form").submit();
/** Capabilities **********************************************************/
* Add some additional comment meta after comment is saved about what
* service the comment is from, the avatar, user_id, etc...
* @param int $comment_id The comment ID.
public function add_comment_meta( $comment_id ) {
// phpcs:disable WordPress.Security.NonceVerification.Missing
switch ( $this->is_highlander_comment_post() ) {
$comment_meta['hc_post_as'] = 'facebook';
$comment_meta['hc_avatar'] = isset( $_POST['hc_avatar'] ) ? filter_var( wp_unslash( $_POST['hc_avatar'] ) ) : null;
$comment_meta['hc_foreign_user_id'] = isset( $_POST['hc_userid'] ) ? filter_var( wp_unslash( $_POST['hc_userid'] ) ) : null;
// phpcs:ignore WordPress.WP.CapitalPDangit
// phpcs:ignore WordPress.WP.CapitalPDangit
$comment_meta['hc_post_as'] = 'wordpress';
$comment_meta['hc_avatar'] = isset( $_POST['hc_avatar'] ) ? filter_var( wp_unslash( $_POST['hc_avatar'] ) ) : null;
$comment_meta['hc_foreign_user_id'] = isset( $_POST['hc_userid'] ) ? filter_var( wp_unslash( $_POST['hc_userid'] ) ) : null;
$comment_meta['hc_wpcom_id_sig'] = isset( $_POST['hc_wpcom_id_sig'] ) ? filter_var( wp_unslash( $_POST['hc_wpcom_id_sig'] ) ) : null; // since 1.9.
$comment_meta['hc_post_as'] = 'jetpack';
$comment_meta['hc_avatar'] = isset( $_POST['hc_avatar'] ) ? filter_var( wp_unslash( $_POST['hc_avatar'] ) ) : null;
$comment_meta['hc_foreign_user_id'] = isset( $_POST['hc_userid'] ) ? filter_var( wp_unslash( $_POST['hc_userid'] ) ) : null;
// phpcs:enable WordPress.Security.NonceVerification.Missing
// Bail if no extra comment meta.
if ( empty( $comment_meta ) ) {
// Loop through extra meta and add values.
foreach ( $comment_meta as $key => $value ) {
add_comment_meta( $comment_id, $key, $value, true );
* Should show the subscription modal
public function should_show_subscription_modal() {
// Not allow it to run on self-hosted or simple sites
if ( ! ( new Host() )->is_wpcom_platform() || ( new Host() )->is_wpcom_simple() ) {
// phpcs:disable WordPress.Security.NonceVerification.Missing
$is_current_user_subscribed = (bool) isset( $_POST['is_current_user_subscribed'] ) ? filter_var( wp_unslash( $_POST['is_current_user_subscribed'] ) ) : null;
// Atomic sites with jetpack_verbum_subscription_modal option enabled
$modal_enabled = ( new Host() )->is_woa_site() && get_option( 'jetpack_verbum_subscription_modal', true );
return $modal_enabled && ! $is_current_user_subscribed;
* Get the data to send as an event to the parent window on subscription modal
* @param string $url url to redirect to.
public function get_subscription_modal_data_to_parent( $url ) {
// phpcs:ignore WordPress.Security.NonceVerification.Missing
$current_user_email = isset( $_POST['email'] ) ? filter_var( wp_unslash( $_POST['email'] ) ) : null;
// phpcs:ignore WordPress.Security.NonceVerification.Missing
$post_id = isset( $_POST['comment_post_ID'] ) ? filter_var( wp_unslash( $_POST['comment_post_ID'] ) ) : null;
'email' => $current_user_email,
'blog_id' => esc_attr( \Jetpack_Options::get_option( 'id' ) ),
'post_id' => esc_attr( $post_id ),
'lang' => esc_attr( get_locale() ),
'is_logged_in' => isset( $_POST['hc_userid'] ),
* Track the hidden event for the subscription modal
public function subscription_modal_status_track_event() {
$tracking_event = 'hidden_disabled';
// Not allow it to run on self-hosted or simple sites
if ( ! ( new Host() )->is_wpcom_platform() || ( new Host() )->is_wpcom_simple() ) {
$tracking_event = 'hidden_self_hosted';
// phpcs:disable WordPress.Security.NonceVerification.Missing
$is_current_user_subscribed = (bool) isset( $_POST['is_current_user_subscribed'] ) ? filter_var( wp_unslash( $_POST['is_current_user_subscribed'] ) ) : null;
if ( $is_current_user_subscribed ) {
$tracking_event = 'hidden_already_subscribed';
$jetpack = Jetpack::init();
// $jetpack->stat automatically prepends the stat group with 'jetpack-'
$jetpack->stat( 'subscribe-modal-comm', $tracking_event );
$jetpack->do_stats( 'server_side' );
* Catch the duplicated comment error and show a custom error page
public function capture_comment_duplicate_trigger() {
if ( ! isset( $_GET['for'] ) || 'jetpack' !== $_GET['for'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
<html <?php language_attributes(); ?>>
<meta charset="<?php bloginfo( 'charset' ); ?>" />
/* translators: %s is replaced by an ellipsis */
__( 'Submitting Comment%s', 'jetpack' ), // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
font-family: "HelveticaNeue-Light", "Helvetica Neue Light", "Helvetica Neue", sans-serif;
font-family: "HelveticaNeue-Light", "Helvetica Neue Light", "Helvetica Neue", sans-serif;
text-decoration: underline;
esc_html_e( 'Duplicate comment detected; it looks as though you’ve already said that!', 'jetpack' );
<a href="javascript:backToComments()"><?php esc_html_e( '« Back', 'jetpack' ); ?></a>
<script type="text/javascript">
function backToComments() {
return regexp.test(navigator.userAgent);
if (test(/chrome|chromium|crios|safari|edg/i)) {
* POST the submitted comment to the iframe
* @param string $url The comment URL origin.
public function capture_comment_post_redirect_to_reload_parent_frame( $url ) {
if ( ! isset( $_GET['for'] ) || 'jetpack' !== $_GET['for'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
$should_show_subscription_modal = $this->should_show_subscription_modal();
// Track event when not showing the subscription modal
if ( ! $should_show_subscription_modal ) {
$this->subscription_modal_status_track_event();
<html <?php language_attributes(); ?>>
<meta charset="<?php bloginfo( 'charset' ); ?>" />
/* translators: %s is replaced by an ellipsis */
__( 'Submitting Comment%s', 'jetpack' ), // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
font-family: "HelveticaNeue-Light", "Helvetica Neue Light", "Helvetica Neue", sans-serif;
-moz-transition-property: opacity;
-moz-transition-duration: 1s;
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
