Skip to:
Content

BuddyPress.org

Changeset 12807


Ignore:
Timestamp:
11/27/2020 04:03:45 PM (7 weeks ago)
Author:
johnjamesjacoby
Message:

XProfile: only allow "style" attributes in richtext fields for capable users

This commit prevents non-capable users from adding style attributes to "span" and "p" elements in their profile fields, which could be used in unintended ways relative to when it was introduced in #5625.

Note that this could be considered a backwards compatibility break. If you are a site owner or developer who relied on this functionality, you will want to use the xprofile_allowed_tags filter to re-enable these attributes.

In branches/6.0 for 6.4.0. Fixes #8404.

Props imath, zeldatea.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/6.0/src/bp-xprofile/bp-xprofile-filters.php

    r12529 r12807  
    142142            'ol'   => array(),
    143143            'li'   => array(),
    144             'span' => array( 'style' => 1 ),
    145             'p'    => array( 'style' => 1 ),
     144            'span' => array(),
     145            'p'    => array(),
    146146        );
     147
     148        // Allow style attributes on certain elements for capable users
     149        if ( bp_current_user_can( 'unfiltered_html' ) ) {
     150            $richtext_tags['span'] = array( 'style' => 1 );
     151            $richtext_tags['p']    = array( 'style' => 1 );
     152        }
    147153
    148154        $xprofile_allowedtags = array_merge( $allowedtags, $richtext_tags );
Note: See TracChangeset for help on using the changeset viewer.