Changeset 10254 for trunk/src/bp-xprofile/bp-xprofile-filters.php

Timestamp:

10/12/2015 05:50:45 PM (11 years ago)

Author:

boonebgorges

Message:

Enable richtext editing for xProfile textarea fields.

Profile fields of the 'textarea' type are now edited using wp_editor().
Output escaping has been modified to whitelist all tags permitted by the
"teeny" version of the wp_editor() interface.

Richtext is enabled for all and only 'textarea' fields:

• To enable richtext editing for a custom field type, set the supports_richtext property of your BP_XProfile_Field_Type class to true. In these cases, you'll need to provide your own editing markup as well; see the edit_field_html() and admin_field_html() methods of BP_XProfile_Field_Type_Textarea for inspiration.
• To disable richtext editing for specific 'textarea' fields, filter bp_xprofile_is_richtext_enabled_for_field.

Props needle, boonebgorges.
Fixes #5625.

File:

• trunk/src/bp-xprofile/bp-xprofile-filters.php (modified) (5 diffs)

trunk/src/bp-xprofile/bp-xprofile-filters.php

@@ -24 +24 @@
 add_filter( 'bp_get_the_profile_field_value',           'force_balance_tags' );
 add_filter( 'bp_get_the_profile_field_value',           'make_clickable'     );
-add_filter( 'bp_get_the_profile_field_value',           'esc_html',        8 );
+add_filter( 'bp_get_the_profile_field_value',           'bp_xprofile_escape_field_data', 8, 3 );
 add_filter( 'bp_get_the_profile_field_value',           'convert_smilies', 9 );
 add_filter( 'bp_get_the_profile_field_value',           'xprofile_filter_format_field_value',         1, 2 );
@@ -31 +31 @@
 
 add_filter( 'bp_get_the_profile_field_edit_value',      'force_balance_tags' );
-add_filter( 'bp_get_the_profile_field_edit_value',      'esc_html'           );
+add_filter( 'bp_get_the_profile_field_edit_value',      'bp_xprofile_escape_field_data', 10, 3 );
 
 add_filter( 'bp_get_the_profile_group_name',            'stripslashes' );
@@ -40 +40 @@
 add_filter( 'bp_get_the_profile_field_description',     'stripslashes' );
 
-add_filter( 'xprofile_get_field_data',                  'wp_filter_kses', 1 );
+add_filter( 'xprofile_get_field_data',                  'xprofile_filter_kses', 1 );
 add_filter( 'xprofile_field_name_before_save',          'wp_filter_kses', 1 );
 add_filter( 'xprofile_field_description_before_save',   'wp_filter_kses', 1 );
@@ -124 +124 @@
     $xprofile_allowedtags             = $allowedtags;
     $xprofile_allowedtags['a']['rel'] = array();
+
+    // If the field supports rich text, we must allow tags that appear in wp_editor().
+    if ( $data_obj instanceof BP_XProfile_ProfileData && bp_xprofile_is_richtext_enabled_for_field( $data_obj->field_id ) ) {
+        $richtext_tags = array(
+            'img'  => array( 'id' => 1, 'class' => 1, 'src' => 1, 'alt' => 1, 'width' => 1, 'height' => 1 ),
+            'ul'   => array( 'id' => 1, 'class' => 1 ),
+            'ol'   => array( 'id' => 1, 'class' => 1 ),
+            'li'   => array( 'id' => 1, 'class' => 1 ),
+            'span' => array( 'style' => 1 ),
+            'p'    => array( 'style' => 1 ),
+        );
+
+        $xprofile_allowedtags = array_merge( $allowedtags, $richtext_tags );
+    }
 
     /**
@@ -275 +289 @@
     if ( method_exists( $field_type_obj, 'pre_validate_filter' ) ) {
         $value = call_user_func( array( $field_type_obj, 'pre_validate_filter' ), $value );
+    }
+
+    return $value;
+}
+
+/**
+ * Escape field value for display.
+ *
+ * Most field values are simply run through esc_html(). Those that support rich text (by default, `textarea` only)
+ * are sanitized using kses, which allows a whitelist of HTML tags.
+ *
+ * @since 2.4.0
+ *
+ * @param string $value      Field value.
+ * @param string $field_type Field type.
+ * @param int    $field_id   Field ID.
+ * @return string
+ */
+function bp_xprofile_escape_field_data( $value, $field_type, $field_id ) {
+    if ( bp_xprofile_is_richtext_enabled_for_field( $field_id ) ) {
+        // xprofile_filter_kses() expects a BP_XProfile_ProfileData object.
+        $data_obj = null;
+        if ( bp_is_user() ) {
+            $data_obj = new BP_XProfile_ProfileData( $field_id, bp_displayed_user_id() );
+        }
+
+        $value = xprofile_filter_kses( $value, $data_obj );
+    } else {
+        $value = esc_html( $value );
     }