Changeset 12635 for trunk/src/bp-members/classes/class-bp-signup.php
- Timestamp:
- 04/26/2020 03:58:20 AM (5 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/bp-members/classes/class-bp-signup.php
r12503 r12635 122 122 * 123 123 * @since 2.0.0 124 * @since 6.0.0 Adds a whitelist of allowed orderby parameters. 124 125 * 125 126 * @param array $args { … … 128 129 * @type int $number How many to fetch. Default 1. 129 130 * @type bool|string $usersearch Whether or not to search for a username. Default false. 130 * @type string $orderby Order By parameter. Default 'signup_id'. 131 * @type string $orderby Order By parameter. Possible values are `signup_id`, `login`, `email`, 132 * `registered`, `activated`. Default `signup_id`. 131 133 * @type string $order Order direction. Default 'DESC'. 132 134 * @type bool $include Whether or not to include more specific query params. … … 159 161 ); 160 162 161 // @todo whitelist sanitization 162 if ( $r['orderby'] !== 'signup_id' ) { 163 // Whitelist sanitization. 164 if ( ! in_array( $r['orderby'], array( 'login', 'email', 'registered', 'activated' ), true ) ) { 165 $r['orderby'] = 'signup_id'; 166 } 167 168 if ( 'login' === $r['orderby'] || 'email' === $r['orderby'] ) { 163 169 $r['orderby'] = 'user_' . $r['orderby']; 164 170 }
Note: See TracChangeset
for help on using the changeset viewer.