Skip to:
Content

BuddyPress.org

Changeset 14103


Ignore:
Timestamp:
03/20/2025 06:37:04 PM (3 months ago)
Author:
dcavins
Message:

Improve security of status update messages (14.0 branch).

  • Only allow logged-in users to see status messages. (These messages are like "Group successfully created," so only apply to logged-in users.)
  • When re-loading message content from the user's cookies, don't allow shortcodes to be included.

Many thanks to mikemyers for responsibly reporting the issue.

Props emaralive.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/14.0/src/bp-core/bp-core-functions.php

    r13999 r14103  
    16431643 */
    16441644function bp_core_setup_message() {
     1645    if ( ! is_user_logged_in() ) {
     1646        return;
     1647    }
    16451648
    16461649    // Get BuddyPress.
     
    16481651
    16491652    if ( empty( $bp->template_message ) && isset( $_COOKIE['bp-message'] ) ) {
    1650         $bp->template_message = stripslashes( $_COOKIE['bp-message'] );
     1653        $bp->template_message = strip_shortcodes( stripslashes( $_COOKIE['bp-message'] ) );
    16511654    }
    16521655
Note: See TracChangeset for help on using the changeset viewer.