Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
11/13/2021 06:40:37 PM (3 years ago)
Author:
espellcaste
Message:

Sanitize all ORDER BY (ASC/DESC) values using the bp_esc_sql_order helper function where possible.

BuddyPress is not consistent on how it escapes ORDER BY (ASC/DESC) values provided by the developers/users. This commit improves that by using the bp_esc_sql_order helper function where possible.

Props imath

Fixes #8576

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-friends/classes/class-bp-friends-friendship.php

    r13108 r13147  
    258258     *        @type int    $is_limited        Whether the friendship is limited.
    259259     *        @type string $order_by          Column name to order by.
    260      *        @type string $sort_order        ASC or DESC. Default DESC.
     260     *        @type string $sort_order        Optional. ASC or DESC. Default: 'DESC'.
    261261     * }
    262262     * @param string $operator Optional. Operator to use in `wp_list_filter()`.
     
    370370
    371371        // Adjust the sort direction of the results.
    372         if ( 'ASC' === strtoupper( $r['sort_order'] ) ) {
     372        if ( 'ASC' === bp_esc_sql_order( $r['sort_order'] ) ) {
    373373            // `true` to preserve keys.
    374374            $friendships = array_reverse( $friendships, true );
Note: See TracChangeset for help on using the changeset viewer.