Skip to:
Content

BuddyPress.org

Changeset 12361


Ignore:
Timestamp:
03/21/2019 03:06:44 PM (9 months ago)
Author:
boonebgorges
Message:

XProfile: When displaying field data, sanitize HTML properly for richtext.

Previously, kses display filters were not always provided with enough
information to determine whether the current field supports rich text,
and thus ought to be filtered against an extended HTML tag whitelist.

Fixes #8063.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-xprofile/bp-xprofile-filters.php

    r12271 r12361  
    1313defined( 'ABSPATH' ) || exit;
    1414
    15 add_filter( 'bp_get_the_profile_group_name',            'wp_filter_kses',      1 );
    16 add_filter( 'bp_get_the_profile_group_description',     'wp_filter_kses',      1 );
    17 add_filter( 'bp_get_the_profile_field_value',           'xprofile_filter_kses', 1 );
    18 add_filter( 'bp_get_the_profile_field_name',            'wp_filter_kses',      1 );
    19 add_filter( 'bp_get_the_profile_field_edit_value',      'wp_filter_kses',      1 );
    20 add_filter( 'bp_get_the_profile_field_description',     'wp_filter_kses',       1 );
     15add_filter( 'bp_get_the_profile_group_name',        'wp_filter_kses', 1 );
     16add_filter( 'bp_get_the_profile_group_description', 'wp_filter_kses', 1 );
     17add_filter( 'bp_get_the_profile_field_name',        'wp_filter_kses', 1 );
     18add_filter( 'bp_get_the_profile_field_edit_value',  'wp_filter_kses', 1 );
     19add_filter( 'bp_get_the_profile_field_description', 'wp_filter_kses', 1 );
     20add_filter( 'bp_get_the_profile_field_value',       'xprofile_sanitize_data_value_before_display', 1, 3 );
    2121
    2222add_filter( 'bp_get_the_profile_field_value',           'wptexturize'        );
     
    4141add_filter( 'bp_get_the_profile_field_description',     'stripslashes' );
    4242
    43 add_filter( 'xprofile_get_field_data',                  'xprofile_filter_kses', 1 );
     43add_filter( 'xprofile_get_field_data',                  'xprofile_sanitize_data_value_before_display_from_get_field_data', 1, 2 );
    4444add_filter( 'xprofile_field_name_before_save',          'wp_filter_kses', 1 );
    4545add_filter( 'xprofile_field_description_before_save',   'wp_filter_kses', 1 );
     
    117117 *
    118118 * @since 1.5.0
    119  *
    120  * @param string      $content  Content to filter.
    121  * @param object|null $data_obj The BP_XProfile_ProfileData object.
     119 * @since 2.1.0 Added `$data_obj` parameter.
     120 * @since 5.0.0 Added `$field_id` parameter.
     121 *
     122 * @param string                       $content  Content to filter.
     123 * @param BP_XProfile_ProfileData|null $data_obj Optional. The BP_XProfile_ProfileData object.
     124 * @param int|null                     $field_id Optional. The ID of the profile field.
    122125 * @return string $content
    123126 */
    124 function xprofile_filter_kses( $content, $data_obj = null ) {
     127function xprofile_filter_kses( $content, $data_obj = null, $field_id = null ) {
    125128    global $allowedtags;
    126129
     
    128131    $xprofile_allowedtags['a']['rel'] = array();
    129132
     133    if ( null === $field_id && $data_obj instanceof BP_XProfile_ProfileData ) {
     134        $field_id = $data_obj->field_id;
     135    }
     136
    130137    // If the field supports rich text, we must allow tags that appear in wp_editor().
    131     if ( $data_obj instanceof BP_XProfile_ProfileData && bp_xprofile_is_richtext_enabled_for_field( $data_obj->field_id ) ) {
     138    if ( $field_id && bp_xprofile_is_richtext_enabled_for_field( $field_id ) ) {
    132139        $richtext_tags = array(
    133             'img'  => array( 'id' => 1, 'class' => 1, 'src' => 1, 'alt' => 1, 'width' => 1, 'height' => 1 ),
    134             'ul'   => array( 'id' => 1, 'class' => 1 ),
    135             'ol'   => array( 'id' => 1, 'class' => 1 ),
    136             'li'   => array( 'id' => 1, 'class' => 1 ),
     140            'img'  => array( 'src' => 1, 'alt' => 1, 'width' => 1, 'height' => 1 ),
     141            'ul'   => array(),
     142            'ol'   => array(),
     143            'li'   => array(),
    137144            'span' => array( 'style' => 1 ),
    138145            'p'    => array( 'style' => 1 ),
     
    146153     *
    147154     * @since 1.5.0
     155     * @since 2.1.0 Added `$data_obj` parameter.
     156     * @since 5.0.0 Added `$field_id` parameter.
    148157     *
    149      * @param array                   $xprofile_allowedtags Array of allowed tags for profile field values.
    150      * @param BP_XProfile_ProfileData $data_obj             The BP_XProfile_ProfileData object.
     158     * @param array                        $xprofile_allowedtags Array of allowed tags for profile field values.
     159     * @param BP_XProfile_ProfileData|null $data_obj             The BP_XProfile_ProfileData object.
     160     * @param int|null                     $field_id             The ID of the profile field.
    151161     */
    152     $xprofile_allowedtags = apply_filters( 'xprofile_allowed_tags', $xprofile_allowedtags, $data_obj );
     162    $xprofile_allowedtags = apply_filters( 'xprofile_allowed_tags', $xprofile_allowedtags, $data_obj, $field_id );
    153163    return wp_kses( $content, $xprofile_allowedtags );
     164}
     165
     166/**
     167 * Filters profile field values for whitelisted HTML.
     168 *
     169 * @since 5.0.0
     170 *
     171 * @param string $value    Field value.
     172 * @param string $type     Field type.
     173 * @param int    $field_id Field ID.
     174 */
     175function xprofile_sanitize_data_value_before_display( $value, $type, $field_id ) {
     176    return xprofile_filter_kses( $value, null, $field_id );
     177}
     178
     179/**
     180 * Filters profile field values for whitelisted HTML, when coming from xprofile_get_field_data().
     181 *
     182 * @since 5.0.0
     183 *
     184 * @param string $value    Field value.
     185 * @param int    $field_id Field ID.
     186 */
     187function xprofile_sanitize_data_value_before_display_from_get_field_data( $value, $field_id ) {
     188    return xprofile_filter_kses( $value, $field_id );
    154189}
    155190
Note: See TracChangeset for help on using the changeset viewer.