Skip to:
Content

BuddyPress.org

Changeset 3643


Ignore:
Timestamp:
01/01/2011 09:36:22 PM (9 years ago)
Author:
djpaul
Message:

Escape xprofile base group name and fullname field name options on the settings screen. Fixes #2986

Location:
trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/bp-core.php

    r3641 r3643  
    11741174    if ( !$fullname = wp_cache_get( 'bp_user_fullname_' . $user_id, 'bp' ) ) {
    11751175        if ( bp_is_active( 'xprofile' ) ) {
    1176             $fullname = xprofile_get_field_data( $bp->site_options['bp-xprofile-fullname-field-name'], $user_id );
     1176            $fullname = xprofile_get_field_data( stripslashes( $bp->site_options['bp-xprofile-fullname-field-name'] ), $user_id );
    11771177
    11781178            if ( empty($fullname) ) {
  • trunk/bp-core/admin/bp-core-admin.php

    r3477 r3643  
    3636
    3737            if ( bp_is_active( 'xprofile' ) ) {
    38                 if ( 'bp-xprofile-base-group-name' == $key ) {
    39                     $wpdb->query( $wpdb->prepare( "UPDATE {$bp->profile->table_name_groups} SET name = %s WHERE id = 1", $value ) );
    40                 }
    41 
    42                 if ( 'bp-xprofile-fullname-field-name' == $key ) {
    43                     $wpdb->query( $wpdb->prepare( "UPDATE {$bp->profile->table_name_fields} SET name = %s WHERE group_id = 1 AND id = 1", $value ) );
    44                 }
     38                if ( 'bp-xprofile-base-group-name' == $key )
     39                    $wpdb->query( $wpdb->prepare( "UPDATE {$bp->profile->table_name_groups} SET name = %s WHERE id = 1", stripslashes( $value ) ) );
     40                elseif ( 'bp-xprofile-fullname-field-name' == $key )
     41                    $wpdb->query( $wpdb->prepare( "UPDATE {$bp->profile->table_name_fields} SET name = %s WHERE group_id = 1 AND id = 1", stripslashes( $value ) ) );
    4542            }
    4643
     
    6865                    <th scope="row"><?php _e( 'Base profile group name', 'buddypress' ) ?>:</th>
    6966                    <td>
    70                         <input name="bp-admin[bp-xprofile-base-group-name]" id="bp-xprofile-base-group-name" value="<?php echo get_site_option('bp-xprofile-base-group-name') ?>" />
     67                        <input name="bp-admin[bp-xprofile-base-group-name]" id="bp-xprofile-base-group-name" value="<?php echo esc_attr( stripslashes( get_site_option( 'bp-xprofile-base-group-name' ) ) ) ?>" />
    7168                    </td>
    7269                </tr>
     
    7471                    <th scope="row"><?php _e( 'Full Name field name', 'buddypress' ) ?>:</th>
    7572                    <td>
    76                         <input name="bp-admin[bp-xprofile-fullname-field-name]" id="bp-xprofile-fullname-field-name" value="<?php echo get_site_option('bp-xprofile-fullname-field-name') ?>" />
     73                        <input name="bp-admin[bp-xprofile-fullname-field-name]" id="bp-xprofile-fullname-field-name" value="<?php echo esc_attr( stripslashes( get_site_option( 'bp-xprofile-fullname-field-name' ) ) ) ?>" />
    7774                    </td>
    7875                </tr>
  • trunk/bp-core/admin/bp-core-schema.php

    r3592 r3643  
    197197    $charset_collate = bp_core_set_charset();
    198198
    199     update_site_option( 'bp-xprofile-base-group-name', 'Base' );
    200     update_site_option( 'bp-xprofile-fullname-field-name', 'Name' );
     199    update_site_option( 'bp-xprofile-base-group-name', _x( 'Base', 'First XProfile group name', 'buddypress' ) );
     200    update_site_option( 'bp-xprofile-fullname-field-name', _x( 'Name', 'XProfile fullname field name', 'buddypress' ) );
    201201
    202202    $sql[] = "CREATE TABLE {$wpdb->base_prefix}bp_xprofile_groups (
     
    251251    dbDelta( $sql );
    252252
    253     /* Insert the default group and fields */
    254     $insert_sql = false;
     253    // Insert the default group and fields
     254    $insert_sql = array();
    255255
    256256    if ( !$wpdb->get_var( "SELECT id FROM {$wpdb->base_prefix}bp_xprofile_groups WHERE id = 1" ) )
    257         $insert_sql[] = "INSERT INTO {$wpdb->base_prefix}bp_xprofile_groups ( name, description, can_delete ) VALUES ( '" . get_site_option( 'bp-xprofile-base-group-name' ) . "', '', 0 );";
     257        $insert_sql[] = "INSERT INTO {$wpdb->base_prefix}bp_xprofile_groups ( name, description, can_delete ) VALUES ( " . $wpdb->prepare( '%s', stripslashes( get_site_option( 'bp-xprofile-base-group-name' ) ) ) . ", '', 0 );";
    258258
    259259    if ( !$wpdb->get_var( "SELECT id FROM {$wpdb->base_prefix}bp_xprofile_fields WHERE id = 1" ) )
    260         $insert_sql[] = "INSERT INTO {$wpdb->base_prefix}bp_xprofile_fields ( group_id, parent_id, type, name, description, is_required, can_delete ) VALUES ( 1, 0, 'textbox', '" . get_site_option( 'bp-xprofile-fullname-field-name' ) . "', '', 1, 0 );";
     260        $insert_sql[] = "INSERT INTO {$wpdb->base_prefix}bp_xprofile_fields ( group_id, parent_id, type, name, description, is_required, can_delete ) VALUES ( 1, 0, 'textbox', " . $wpdb->prepare( '%s', stripslashes( get_site_option( 'bp-xprofile-fullname-field-name' ) ) ) . ", '', 1, 0 );";
    261261
    262262    dbDelta( $insert_sql );
  • trunk/bp-xprofile.php

    r3592 r3643  
    2626
    2727    /* Assign the base group and fullname field names to constants to use in SQL statements */
    28     define ( 'BP_XPROFILE_BASE_GROUP_NAME', $bp->site_options['bp-xprofile-base-group-name'] );
    29     define ( 'BP_XPROFILE_FULLNAME_FIELD_NAME', $bp->site_options['bp-xprofile-fullname-field-name'] );
     28    define ( 'BP_XPROFILE_BASE_GROUP_NAME', stripslashes( $bp->site_options['bp-xprofile-base-group-name'] ) );
     29    define ( 'BP_XPROFILE_FULLNAME_FIELD_NAME', stripslashes( $bp->site_options['bp-xprofile-fullname-field-name'] ) );
    3030
    3131    /* For internal identification */
  • trunk/bp-xprofile/bp-xprofile-admin.php

    r3560 r3643  
    4848        </h2>
    4949        <p><?php _e( 'Your users will distinguish themselves through their profile page. You must give them profile fields that allow them to describe themselves in a way that is relevant to the theme of your social network.', 'buddypress'); ?></p>
    50         <p><?php echo sprintf( __( 'NOTE: Any fields in the "%s" group will appear on the signup page.', 'buddypress' ), get_site_option( 'bp-xprofile-base-group-name' ) ); ?></p>
     50        <p><?php echo sprintf( __( 'NOTE: Any fields in the "%s" group will appear on the signup page.', 'buddypress' ), esc_html( stripslashes( get_site_option( 'bp-xprofile-base-group-name' ) ) ) ) ?></p>
    5151
    5252        <form action="" id="profile-field-form" method="post">
Note: See TracChangeset for help on using the changeset viewer.