Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
10/12/2015 05:50:45 PM (5 years ago)
Author:
boonebgorges
Message:

Enable richtext editing for xProfile textarea fields.

Profile fields of the 'textarea' type are now edited using wp_editor().
Output escaping has been modified to whitelist all tags permitted by the
"teeny" version of the wp_editor() interface.

Richtext is enabled for all and only 'textarea' fields:

  • To enable richtext editing for a custom field type, set the supports_richtext property of your BP_XProfile_Field_Type class to true. In these cases, you'll need to provide your own editing markup as well; see the edit_field_html() and admin_field_html() methods of BP_XProfile_Field_Type_Textarea for inspiration.
  • To disable richtext editing for specific 'textarea' fields, filter bp_xprofile_is_richtext_enabled_for_field.

Props needle, boonebgorges.
Fixes #5625.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-xprofile/bp-xprofile-filters.php

    r10239 r10254  
    2424add_filter( 'bp_get_the_profile_field_value',           'force_balance_tags' );
    2525add_filter( 'bp_get_the_profile_field_value',           'make_clickable'     );
    26 add_filter( 'bp_get_the_profile_field_value',           'esc_html',        8 );
     26add_filter( 'bp_get_the_profile_field_value',           'bp_xprofile_escape_field_data', 8, 3 );
    2727add_filter( 'bp_get_the_profile_field_value',           'convert_smilies', 9 );
    2828add_filter( 'bp_get_the_profile_field_value',           'xprofile_filter_format_field_value',         1, 2 );
     
    3131
    3232add_filter( 'bp_get_the_profile_field_edit_value',      'force_balance_tags' );
    33 add_filter( 'bp_get_the_profile_field_edit_value',      'esc_html'          );
     33add_filter( 'bp_get_the_profile_field_edit_value',      'bp_xprofile_escape_field_data', 10, 3 );
    3434
    3535add_filter( 'bp_get_the_profile_group_name',            'stripslashes' );
     
    4040add_filter( 'bp_get_the_profile_field_description',     'stripslashes' );
    4141
    42 add_filter( 'xprofile_get_field_data',                  'wp_filter_kses', 1 );
     42add_filter( 'xprofile_get_field_data',                  'xprofile_filter_kses', 1 );
    4343add_filter( 'xprofile_field_name_before_save',          'wp_filter_kses', 1 );
    4444add_filter( 'xprofile_field_description_before_save',   'wp_filter_kses', 1 );
     
    124124    $xprofile_allowedtags             = $allowedtags;
    125125    $xprofile_allowedtags['a']['rel'] = array();
     126
     127    // If the field supports rich text, we must allow tags that appear in wp_editor().
     128    if ( $data_obj instanceof BP_XProfile_ProfileData && bp_xprofile_is_richtext_enabled_for_field( $data_obj->field_id ) ) {
     129        $richtext_tags = array(
     130            'img'  => array( 'id' => 1, 'class' => 1, 'src' => 1, 'alt' => 1, 'width' => 1, 'height' => 1 ),
     131            'ul'   => array( 'id' => 1, 'class' => 1 ),
     132            'ol'   => array( 'id' => 1, 'class' => 1 ),
     133            'li'   => array( 'id' => 1, 'class' => 1 ),
     134            'span' => array( 'style' => 1 ),
     135            'p'    => array( 'style' => 1 ),
     136        );
     137
     138        $xprofile_allowedtags = array_merge( $allowedtags, $richtext_tags );
     139    }
    126140
    127141    /**
     
    275289    if ( method_exists( $field_type_obj, 'pre_validate_filter' ) ) {
    276290        $value = call_user_func( array( $field_type_obj, 'pre_validate_filter' ), $value );
     291    }
     292
     293    return $value;
     294}
     295
     296/**
     297 * Escape field value for display.
     298 *
     299 * Most field values are simply run through esc_html(). Those that support rich text (by default, `textarea` only)
     300 * are sanitized using kses, which allows a whitelist of HTML tags.
     301 *
     302 * @since 2.4.0
     303 *
     304 * @param string $value      Field value.
     305 * @param string $field_type Field type.
     306 * @param int    $field_id   Field ID.
     307 * @return string
     308 */
     309function bp_xprofile_escape_field_data( $value, $field_type, $field_id ) {
     310    if ( bp_xprofile_is_richtext_enabled_for_field( $field_id ) ) {
     311        // xprofile_filter_kses() expects a BP_XProfile_ProfileData object.
     312        $data_obj = null;
     313        if ( bp_is_user() ) {
     314            $data_obj = new BP_XProfile_ProfileData( $field_id, bp_displayed_user_id() );
     315        }
     316
     317        $value = xprofile_filter_kses( $value, $data_obj );
     318    } else {
     319        $value = esc_html( $value );
    277320    }
    278321
Note: See TracChangeset for help on using the changeset viewer.