Skip to:
Content

BuddyPress.org

Ticket #8576: 8576.diff

File 8576.diff, 17.4 KB (added by espellcaste, 2 years ago)
  • src/bp-activity/classes/class-bp-activity-activity.php

    diff --git src/bp-activity/classes/class-bp-activity-activity.php src/bp-activity/classes/class-bp-activity-activity.php
    index cf084c16f..71611dbe9 100644
    class BP_Activity_Activity { 
    507507                        }
    508508                }
    509509
    510                 // Sorting.
     510                // Sanitize 'order'.
    511511                $sort = $r['sort'];
    512                 if ( $sort != 'ASC' && $sort != 'DESC' ) {
    513                         $sort = 'DESC';
     512                if ( 'DESC' !== $sort ) {
     513                        $sort = bp_esc_sql_order( $sort );
    514514                }
    515515
    516516                switch( $r['order_by'] ) {
  • src/bp-blogs/bp-blogs-functions.php

    diff --git src/bp-blogs/bp-blogs-functions.php src/bp-blogs/bp-blogs-functions.php
    index c64e88ab7..743090230 100644
    function bp_blogs_get_blogs( $args = '' ) { 
    9191 *
    9292 * @param array $args {
    9393 *     Array of arguments.
    94  *     @type int   $offset   The offset to use.
    95  *     @type int   $limit    The number of blogs to record at one time.
    96  *     @type array $blog_ids Blog IDs to record. If empty, all blogs will be recorded.
    97  *     @type array $site_id  The network site ID to use.
     94 *     @type int    $offset   The offset to use.
     95 *     @type int    $limit    The number of blogs to record at one time.
     96 *     @type array  $blog_ids Blog IDs to record. If empty, all blogs will be recorded.
     97 *     @type array  $site_id  The network site ID to use.
    9898 * }
    99  *
    10099 * @return bool
    101100 */
    102101function bp_blogs_record_existing_blogs( $args = array() ) {
  • src/bp-blogs/bp-blogs-template.php

    diff --git src/bp-blogs/bp-blogs-template.php src/bp-blogs/bp-blogs-template.php
    index 5b06fcfce..f6f353658 100644
    function bp_blogs_directory_permalink() { 
    9797
    9898/**
    9999 * Rewind the blogs and reset blog index.
     100 *
     101 * @global BP_Blogs_Template $blogs_template {@link BP_Blogs_Template}
    100102 */
    101103function bp_rewind_blogs() {
    102104        global $blogs_template;
    function bp_rewind_blogs() { 
    111113 * global, enabling the use of BuddyPress templates and template functions to
    112114 * display a list of activity items.
    113115 *
    114  * @global object $blogs_template {@link BP_Blogs_Template}
     116 * @global BP_Blogs_Template $blogs_template {@link BP_Blogs_Template}
    115117 *
    116118 * @param array|string $args {
    117119 *     Arguments for limiting the contents of the blogs loop. Most arguments
    function bp_rewind_blogs() { 
    133135 *     @type string   $type             The order in which results should be fetched.
    134136 *                                      'active', 'alphabetical', 'newest', or 'random'.
    135137 *     @type array    $include_blog_ids Array of blog IDs to limit results to.
    136  *     @type string   $sort             'ASC' or 'DESC'. Default: 'DESC'.
    137138 *     @type string   $search_terms     Limit results by a search term. Default: the value of `$_REQUEST['s']` or
    138139 *                                      `$_REQUEST['sites_search']`, if present.
    139140 *     @type int      $user_id          The ID of the user whose blogs should be retrieved.
  • src/bp-core/bp-core-functions.php

    diff --git src/bp-core/bp-core-functions.php src/bp-core/bp-core-functions.php
    index e2acd9373..6007f05ac 100644
    function bp_is_running_wp( $version, $compare = '>=' ) { 
    9292 *
    9393 * @since 1.2.6
    9494 *
    95  * @global object $wpdb WordPress database object.
     95 * @global wpdb $wpdb WordPress database object.
    9696 *
    9797 * @return string Filtered database prefix.
    9898 */
    function bp_esc_sql_order( $order = '' ) { 
    383383 *
    384384 * @since 2.1.0
    385385 *
     386 * @global wpdb $wpdb WordPress database object.
    386387 * @see wpdb::esc_like() for more details on proper use.
    387388 *
    388389 * @param string $text The raw text to be escaped.
    function bp_esc_like( $text ) { 
    394395
    395396        if ( method_exists( $wpdb, 'esc_like' ) ) {
    396397                return $wpdb->esc_like( $text );
    397         } else {
    398                 return addcslashes( $text, '_%\\' );
    399398        }
     399
     400        return addcslashes( $text, '_%\\' );
    400401}
    401402
    402403/**
  • src/bp-friends/classes/class-bp-friends-friendship.php

    diff --git src/bp-friends/classes/class-bp-friends-friendship.php src/bp-friends/classes/class-bp-friends-friendship.php
    index 69cbf2eb0..dcce808e1 100644
    class BP_Friends_Friendship { 
    257257         *        @type int    $is_confirmed      Whether the friendship has been accepted.
    258258         *        @type int    $is_limited        Whether the friendship is limited.
    259259         *        @type string $order_by          Column name to order by.
    260          *        @type string $sort_order        ASC or DESC. Default DESC.
     260         *        @type string $sort_order        Optional. ASC or DESC. Default: 'DESC'.
    261261         * }
    262262         * @param string $operator Optional. Operator to use in `wp_list_filter()`.
    263263         *
    class BP_Friends_Friendship { 
    369369                }
    370370
    371371                // Adjust the sort direction of the results.
    372                 if ( 'ASC' === strtoupper( $r['sort_order'] ) ) {
     372                if ( 'ASC' === bp_esc_sql_order( $r['sort_order'] ) ) {
    373373                        // `true` to preserve keys.
    374374                        $friendships = array_reverse( $friendships, true );
    375375                }
  • src/bp-groups/classes/class-bp-groups-list-table.php

    diff --git src/bp-groups/classes/class-bp-groups-list-table.php src/bp-groups/classes/class-bp-groups-list-table.php
    index 4a102b3fd..7d3dff995 100644
    class BP_Groups_List_Table extends WP_List_Table { 
    9696                // Sort order.
    9797                $order = 'DESC';
    9898                if ( ! empty( $_REQUEST['order'] ) ) {
    99                         $order = ( 'desc' == strtolower( $_REQUEST['order'] ) ) ? 'DESC' : 'ASC';
     99                        $order = bp_esc_sql_order( $_REQUEST['order'] );
    100100                }
    101101
    102102                // Order by - default to newest.
  • src/bp-members/classes/class-bp-members-invitations-template.php

    diff --git src/bp-members/classes/class-bp-members-invitations-template.php src/bp-members/classes/class-bp-members-invitations-template.php
    index 3270eed7d..184ac23b7 100644
    class BP_Members_Invitations_Template { 
    184184                );
    185185
    186186                // Sort order direction.
    187                 $orders = array( 'ASC', 'DESC' );
    188                 if ( ! empty( $_GET['sort_order'] ) && in_array( $_GET['sort_order'], $orders ) ) {
     187                if ( ! empty( $_GET['sort_order'] ) ) {
    189188                        $r['sort_order'] = $_GET['sort_order'];
    190                 } else {
    191                         $r['sort_order'] = in_array( $r['sort_order'], $orders ) ? $r['sort_order'] : 'DESC';
    192189                }
    193190
    194191                // Setup variables.
    195192                $this->pag_arg      = sanitize_key( $r['page_arg'] );
    196193                $this->pag_page     = bp_sanitize_pagination_arg( $this->pag_arg, $r['page'] );
    197194                $this->pag_num      = bp_sanitize_pagination_arg( 'num', $r['per_page'] );
     195                $this->sort_order   = bp_esc_sql_order( $r['sort_order'] );
    198196                $this->user_id      = $r['user_id'];
    199197                $this->search_terms = $r['search_terms'];
    200198                $this->order_by     = $r['order_by'];
    201                 $this->sort_order   = $r['sort_order'];
    202199                $this->query_vars   = array(
    203200                        'id'            => $r['id'],
    204201                        'user_id'       => $r['user_id'],
    class BP_Members_Invitations_Template { 
    252249         * @return bool True if there are items in the loop, otherwise false.
    253250         */
    254251        public function has_invitations() {
    255                 if ( $this->current_invitation_count ) {
    256                         return true;
    257                 }
    258 
    259                 return false;
     252                return ! empty( $this->current_invitation_count );
    260253        }
    261254
    262255        /**
  • src/bp-messages/bp-messages-template.php

    diff --git src/bp-messages/bp-messages-template.php src/bp-messages/bp-messages-template.php
    index b5441b294..47064ebb8 100644
    function bp_message_get_recipient_usernames() { 
    16341634 *
    16351635 * @param array|string $args {
    16361636 *     Array of arguments. All are optional.
    1637  *     @type int      $thread_id         ID of the thread whose messages you are displaying.
     1637 *     @type int      $thread_id         Optional. ID of the thread whose messages you are displaying.
    16381638 *                                       Default: if viewing a thread, the thread ID will be parsed from
    16391639 *                                       the URL (bp_action_variable( 0 )).
    1640  *     @type string   $order             'ASC' or 'DESC'. Default: 'ASC'.
    1641  *     @type bool     $update_meta_cache Whether to pre-fetch metadata for
     1640 *     @type string   $order             Optional. 'ASC' or 'DESC'. Default: 'ASC'.
     1641 *     @type bool     $update_meta_cache Optional. Whether to pre-fetch metadata for
    16421642 *                                       queried message items. Default: true.
    16431643 *     @type int|null $page              Page of messages being requested. Default to null, meaning all.
    16441644 *     @type int|null $per_page          Messages to return per page. Default to null, meaning all.
  • src/bp-messages/classes/class-bp-messages-thread-template.php

    diff --git src/bp-messages/classes/class-bp-messages-thread-template.php src/bp-messages/classes/class-bp-messages-thread-template.php
    index 3623f85a1..6a4429819 100644
    class BP_Messages_Thread_Template { 
    8484         * @see BP_Messages_Thread::populate() for full parameter info.
    8585         *
    8686         * @param int    $thread_id ID of the message thread to display.
    87          * @param string $order     Order to show the thread's messages in.
     87         * @param string $order     Optional. Order to show the thread's messages in.
     88         *                          Default: 'ASC'.
    8889         * @param array  $args      Array of arguments for the query.
    8990         */
    9091        public function __construct( $thread_id = 0, $order = 'ASC', $args = array() ) {
  • src/bp-messages/classes/class-bp-messages-thread.php

    diff --git src/bp-messages/classes/class-bp-messages-thread.php src/bp-messages/classes/class-bp-messages-thread.php
    index e1a7f1891..889e0a014 100644
    class BP_Messages_Thread { 
    121121         *                                            queried message items. Default: true.
    122122         *     @type int|null    $page                Page of messages being requested. Default to null, meaning all.
    123123         *     @type int|null    $per_page            Messages to return per page. Default to null, meaning all.
    124          *     @type string      $order               The order to sort the messages. Either 'ASC' or 'DESC'.
     124         *     @type string      $order               Optional. The order to sort the messages. Either 'ASC' or 'DESC'.
    125125         *                                            Defaults to 'ASC'.
    126126         *     @type int|null    $recipients_page     Page of recipients being requested. Default to null, meaning all.
    127127         *     @type int|null    $recipients_per_page Recipients to return per page. Defaults to null, meaning all.
    class BP_Messages_Thread { 
    160160         */
    161161        public function populate( $thread_id = 0, $order = 'ASC', $args = array() ) {
    162162
    163                 if ( ! in_array( strtoupper( $order ), array( 'ASC', 'DESC' ), true ) ) {
    164                         $order = 'ASC';
    165                 }
    166 
    167163                $user_id =
    168164                        bp_displayed_user_id() ?
    169165                        bp_displayed_user_id() :
    class BP_Messages_Thread { 
    177173                                'update_meta_cache'   => true,
    178174                                'page'                => null,
    179175                                'per_page'            => null,
    180                                 'order'               => $order,
     176                                'order'               => bp_esc_sql_order( $order ),
    181177                                'recipients_page'     => null,
    182178                                'recipients_per_page' => null,
    183179                        )
    184180                );
    185181
    186                 $this->messages_order = $order;
     182                $this->messages_order = $r['order'];
    187183                $this->thread_id      = (int) $thread_id;
    188184
    189185                // Get messages for thread.
    class BP_Messages_Thread { 
    373369                        )
    374370                );
    375371
    376                 // Fallback.
    377                 if ( ! in_array( strtoupper( $r['order'] ), array( 'ASC', 'DESC' ), true ) ) {
    378                         $r['order'] = 'ASC';
    379                 }
     372                // Sanitize 'order'.
     373                $r['order'] = bp_esc_sql_order( $r['order'] );
    380374
    381375                // Get messages from cache if available.
    382376                $messages = wp_cache_get( $thread_id, 'bp_messages_threads' );
    class BP_Messages_Thread { 
    403397                }
    404398
    405399                // Flip if order is DESC.
    406                 if ( 'DESC' === strtoupper( $r['order'] ) ) {
     400                if ( 'DESC' === $r['order'] ) {
    407401                        $messages = array_reverse( $messages );
    408402                }
    409403
  • src/bp-notifications/bp-notifications-template.php

    diff --git src/bp-notifications/bp-notifications-template.php src/bp-notifications/bp-notifications-template.php
    index f13267d3d..9ab7a998a 100644
    function bp_notifications_sort_order_form() { 
    997997        $selected = 'DESC';
    998998
    999999        // Check for a custom sort_order.
    1000         if ( !empty( $_REQUEST['sort_order'] ) ) {
    1001                 if ( in_array( $_REQUEST['sort_order'], $orders ) ) {
     1000        if ( ! empty( $_REQUEST['sort_order'] ) ) {
     1001                if ( in_array( $_REQUEST['sort_order'], $orders, true ) ) {
    10021002                        $selected = $_REQUEST['sort_order'];
    10031003                }
    10041004        } ?>
  • src/bp-notifications/classes/class-bp-notifications-notification.php

    diff --git src/bp-notifications/classes/class-bp-notifications-notification.php src/bp-notifications/classes/class-bp-notifications-notification.php
    index 1adb42cd1..0403ad7b9 100644
    class BP_Notifications_Notification { 
    446446                }
    447447
    448448                // Sort order direction.
    449                 if ( ! empty( $args['sort_order'] ) && in_array( $args['sort_order'], array( 'ASC', 'DESC' ), true ) ) {
    450                         $sort_order               = $args['sort_order'];
     449                if ( ! empty( $args['sort_order'] ) ) {
     450                        $sort_order               = bp_esc_sql_order( $args['sort_order'] );
    451451                        $conditions['sort_order'] = "{$sort_order}";
    452452                }
    453453
  • src/bp-notifications/classes/class-bp-notifications-template.php

    diff --git src/bp-notifications/classes/class-bp-notifications-template.php src/bp-notifications/classes/class-bp-notifications-template.php
    index 09dc3ffc7..ce8683e0d 100644
    class BP_Notifications_Template { 
    175175                );
    176176
    177177                // Sort order direction.
    178                 $orders = array( 'ASC', 'DESC' );
    179                 if ( ! empty( $_GET['sort_order'] ) && in_array( $_GET['sort_order'], $orders, true ) ) {
     178                if ( ! empty( $_GET['sort_order'] ) ) {
    180179                        $r['sort_order'] = $_GET['sort_order'];
    181                 } else {
    182                         $r['sort_order'] = in_array( $r['sort_order'], $orders ) ? $r['sort_order'] : 'DESC';
    183180                }
    184181
    185182                // Setup variables.
    186183                $this->pag_arg      = sanitize_key( $r['page_arg'] );
    187184                $this->pag_page     = bp_sanitize_pagination_arg( $this->pag_arg, $r['page'] );
    188185                $this->pag_num      = bp_sanitize_pagination_arg( 'num', $r['per_page'] );
     186                $this->sort_order   = bp_esc_sql_order( $r['sort_order'] );
    189187                $this->user_id      = $r['user_id'];
    190188                $this->is_new       = $r['is_new'];
    191189                $this->search_terms = $r['search_terms'];
    192190                $this->order_by     = $r['order_by'];
    193                 $this->sort_order   = $r['sort_order'];
    194191                $this->query_vars   = array(
    195192                        'id'                => $r['id'],
    196193                        'user_id'           => $this->user_id,
  • src/bp-xprofile/classes/class-bp-xprofile-field.php

    diff --git src/bp-xprofile/classes/class-bp-xprofile-field.php src/bp-xprofile/classes/class-bp-xprofile-field.php
    index 9607a6ed9..20eb7224b 100644
    class BP_XProfile_Field { 
    561561         *
    562562         * @since 1.2.0
    563563         *
    564          * @global object $wpdb
     564         * @global BuddyPress $bp The one true BuddyPress instance.
     565         * @global wpdb $wpdb WordPress database object.
    565566         *
    566          * @param bool $for_editing Whether or not the field is for editing.
     567         * @param bool $for_editing Whether or not the field is for editing. Default to false.
    567568         * @return array
    568569         */
    569570        public function get_children( $for_editing = false ) {
    570571                global $wpdb;
    571572
     573                // Sanitize 'order_by'.
     574                $order_by = bp_esc_sql_order( $this->order_by );
     575
    572576                // This is done here so we don't have problems with sql injection.
    573                 if ( empty( $for_editing ) && ( 'asc' === $this->order_by ) ) {
    574                         $sort_sql = 'ORDER BY name ASC';
    575                 } elseif ( empty( $for_editing ) && ( 'desc' === $this->order_by ) ) {
    576                         $sort_sql = 'ORDER BY name DESC';
     577                if ( empty( $for_editing ) ) {
     578                        $sort_sql = "ORDER BY name {$order_by}";
    577579                } else {
    578580                        $sort_sql = 'ORDER BY option_order ASC';
    579581                }
    class BP_XProfile_Field { 
    586588                        $parent_id = $this->id;
    587589                }
    588590
    589                 $bp  = buddypress();
    590                 $sql = $wpdb->prepare( "SELECT * FROM {$bp->profile->table_name_fields} WHERE parent_id = %d AND group_id = %d {$sort_sql}", $parent_id, $this->group_id );
    591 
     591                $bp       = buddypress();
     592                $sql      = $wpdb->prepare( "SELECT * FROM {$bp->profile->table_name_fields} WHERE parent_id = %d AND group_id = %d {$sort_sql}", $parent_id, $this->group_id );
    592593                $children = $wpdb->get_results( $sql );
    593594
    594595                /**
    class BP_XProfile_Field { 
    597598                 * @since 1.2.5
    598599                 * @since 3.0.0 Added the `$this` parameter.
    599600                 *
    600                  * @param object            $children    Found children for a field.
     601                 * @param array             $children    Found children for a field.
    601602                 * @param bool              $for_editing Whether or not the field is for editing.
    602603                 * @param BP_XProfile_Field $this        Field object
    603604                 */
  • tests/phpunit/testcases/messages/class.bp-messages-thread.php

    diff --git tests/phpunit/testcases/messages/class.bp-messages-thread.php tests/phpunit/testcases/messages/class.bp-messages-thread.php
    index 946a87edb..f98ba4cec 100644
    class BP_Tests_BP_Messages_Thread extends BP_UnitTestCase { 
    140140                        wp_list_pluck( $thread->messages, 'id' )
    141141                );
    142142
     143                // Testing sort with lowercase and space.
     144                $thread = new BP_Messages_Thread( $message_1->thread_id, '    desc' );
     145                $this->assertEquals(
     146                        array( $message_2->id, $message_1->id ),
     147                        wp_list_pluck( $thread->messages, 'id' )
     148                );
     149
    143150                // Now sorting via the helper method.
    144151                $messages = BP_Messages_Thread::get_messages( $message_1->thread_id, array( 'order' => 'desc' ) );
    145152                $this->assertEquals(