Skip to:
Content

BuddyPress.org

Changeset 14108


Ignore:
Timestamp:
03/20/2025 07:10:31 PM (3 months ago)
Author:
dcavins
Message:

Improve security of status update messages (14.0 branch).

  • Only allow logged-in users to see status messages. (These messages are like "Group successfully created," so only apply to logged-in users.)
  • When re-loading message content from the user's cookies, don't allow shortcodes to be included.

Many thanks to mikemyers for responsibly reporting the issue.

Props emaralive.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/12.0/src/bp-core/bp-core-functions.php

    r13819 r14108  
    16731673 */
    16741674function bp_core_setup_message() {
     1675    if ( ! is_user_logged_in() ) {
     1676        return;
     1677    }
    16751678
    16761679    // Get BuddyPress.
     
    16781681
    16791682    if ( empty( $bp->template_message ) && isset( $_COOKIE['bp-message'] ) ) {
    1680         $bp->template_message = stripslashes( $_COOKIE['bp-message'] );
     1683        $bp->template_message = strip_shortcodes( stripslashes( $_COOKIE['bp-message'] ) );
    16811684    }
    16821685
Note: See TracChangeset for help on using the changeset viewer.