Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
11/13/2021 06:40:37 PM (3 years ago)
Author:
espellcaste
Message:

Sanitize all ORDER BY (ASC/DESC) values using the bp_esc_sql_order helper function where possible.

BuddyPress is not consistent on how it escapes ORDER BY (ASC/DESC) values provided by the developers/users. This commit improves that by using the bp_esc_sql_order helper function where possible.

Props imath

Fixes #8576

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-notifications/classes/class-bp-notifications-notification.php

    r13112 r13147  
    447447
    448448        // Sort order direction.
    449         if ( ! empty( $args['sort_order'] ) && in_array( $args['sort_order'], array( 'ASC', 'DESC' ), true ) ) {
    450             $sort_order               = $args['sort_order'];
     449        if ( ! empty( $args['sort_order'] ) ) {
     450            $sort_order               = bp_esc_sql_order( $args['sort_order'] );
    451451            $conditions['sort_order'] = "{$sort_order}";
    452452        }
Note: See TracChangeset for help on using the changeset viewer.