Skip to:
Content

BuddyPress.org

Changeset 14117


Ignore:
Timestamp:
03/20/2025 08:24:41 PM (3 months ago)
Author:
dcavins
Message:

Improve security of status update messages (11.0 branch).

  • Only allow logged-in users to see status messages. (These messages are like "Group successfully created," so only apply to logged-in users.)
  • When re-loading message content from the user's cookies, don't allow shortcodes to be included.

Many thanks to mikemyers for responsibly reporting the issue.

Props emaralive.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/11.0/src/bp-core/bp-core-functions.php

    r13615 r14117  
    16701670 */
    16711671function bp_core_setup_message() {
     1672    if ( ! is_user_logged_in() ) {
     1673        return;
     1674    }
    16721675
    16731676    // Get BuddyPress.
     
    16751678
    16761679    if ( empty( $bp->template_message ) && isset( $_COOKIE['bp-message'] ) ) {
    1677         $bp->template_message = stripslashes( $_COOKIE['bp-message'] );
     1680        $bp->template_message = strip_shortcodes( stripslashes( $_COOKIE['bp-message'] ) );
    16781681    }
    16791682
Note: See TracChangeset for help on using the changeset viewer.