Changeset 12379

Timestamp:

04/25/2019 02:38:26 PM (7 years ago)

Author:

boonebgorges

Message:

Activity: Fine-tune HTML whitelist for user-provided content.

Merges [12377] to the 4.0 branch.

Location:

branches/4.0

Files:

• . (modified) (1 prop)
• src/bp-activity/bp-activity-filters.php (modified) (3 diffs)

branches/4.0/src/bp-activity/bp-activity-filters.php

@@ -16 +16 @@
 add_filter( 'bp_get_activity_action',                'bp_activity_filter_kses', 1 );
 add_filter( 'bp_get_activity_content_body',          'bp_activity_filter_kses', 1 );
-add_filter( 'bp_get_activity_content',               'bp_activity_filter_kses', 1 );
 add_filter( 'bp_get_activity_parent_content',        'bp_activity_filter_kses', 1 );
 add_filter( 'bp_get_activity_latest_update',         'bp_activity_filter_kses', 1 );
@@ -206 +205 @@
  */
 function bp_activity_filter_kses( $content ) {
+    $activity_allowedtags = bp_get_allowedtags();
+
+    // Don't allow 'class' or 'id'.
+    foreach ( $activity_allowedtags as $el => &$atts ) {
+        unset( $atts['class'] );
+        unset( $atts['id'] );
+    }
+
     /**
      * Filters the allowed HTML tags for BuddyPress Activity content.
@@ -213 +220 @@
      * @param array $value Array of allowed HTML tags and attributes.
      */
-    $activity_allowedtags = apply_filters( 'bp_activity_allowed_tags', bp_get_allowedtags() );
+    $activity_allowedtags = apply_filters( 'bp_activity_allowed_tags', $activity_allowedtags );
     return wp_kses( $content, $activity_allowedtags );
 }