Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
11/13/2021 06:40:37 PM (3 years ago)
Author:
espellcaste
Message:

Sanitize all ORDER BY (ASC/DESC) values using the bp_esc_sql_order helper function where possible.

BuddyPress is not consistent on how it escapes ORDER BY (ASC/DESC) values provided by the developers/users. This commit improves that by using the bp_esc_sql_order helper function where possible.

Props imath

Fixes #8576

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-members/classes/class-bp-members-invitations-template.php

    r13108 r13147  
    185185
    186186        // Sort order direction.
    187         $orders = array( 'ASC', 'DESC' );
    188         if ( ! empty( $_GET['sort_order'] ) && in_array( $_GET['sort_order'], $orders ) ) {
     187        if ( ! empty( $_GET['sort_order'] ) ) {
    189188            $r['sort_order'] = $_GET['sort_order'];
    190         } else {
    191             $r['sort_order'] = in_array( $r['sort_order'], $orders ) ? $r['sort_order'] : 'DESC';
    192189        }
    193190
     
    196193        $this->pag_page     = bp_sanitize_pagination_arg( $this->pag_arg, $r['page'] );
    197194        $this->pag_num      = bp_sanitize_pagination_arg( 'num', $r['per_page'] );
     195        $this->sort_order   = bp_esc_sql_order( $r['sort_order'] );
    198196        $this->user_id      = $r['user_id'];
    199197        $this->search_terms = $r['search_terms'];
    200198        $this->order_by     = $r['order_by'];
    201         $this->sort_order   = $r['sort_order'];
    202199        $this->query_vars   = array(
    203200            'id'            => $r['id'],
     
    253250     */
    254251    public function has_invitations() {
    255         if ( $this->current_invitation_count ) {
    256             return true;
    257         }
    258 
    259         return false;
     252        return ! empty( $this->current_invitation_count );
    260253    }
    261254
Note: See TracChangeset for help on using the changeset viewer.