Skip to:
Content

BuddyPress.org

Changeset 6224


Ignore:
Timestamp:
08/05/2012 09:21:03 PM (12 years ago)
Author:
boonebgorges
Message:

Cleanup of sanitization and formatting of xprofile output

In r6202 and r6204, sanitization was introduced into the xprofile output
functions, to protect against CSRF-style vulnerabilities. However, the
sanitization (esc_html()) was run in such a way that some clickable items,
such as email addresses, were double escaped, resulting in HTML tags being
printed to the screen rather than parsed by the browser.

This changeset reconfigures the sanitization procedure, so that output is
sanitized by esc_html() before being run through the formatting filters such
as make_clickable() and xprofile_filter_link_profile_data().

Fixes #4392

Props rachelbaker, DJPaul

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/bp-xprofile/bp-xprofile-filters.php

    r6205 r6224  
    2424add_filter( 'bp_get_the_profile_field_value',           'convert_chars'      );
    2525add_filter( 'bp_get_the_profile_field_value',           'wpautop'            );
    26 add_filter( 'bp_get_the_profile_field_value',           'make_clickable', 8  );
    2726add_filter( 'bp_get_the_profile_field_value',           'force_balance_tags' );
     27add_filter( 'bp_get_the_profile_field_value',           'make_clickable'     );
     28add_filter( 'bp_get_the_profile_field_value',           'esc_html',        8 );
    2829
    2930add_filter( 'bp_get_the_profile_field_edit_value',      'force_balance_tags' );
     
    175176                // More than 5 spaces
    176177                if ( count( explode( ' ', $value ) ) > 5 ) {
    177                     $new_values[] = esc_html( $value );
     178                    $new_values[] = $value;
    178179
    179180                // Less than 5 spaces
    180181                } else {
    181182                    $search_url   = add_query_arg( array( 's' => urlencode( $value ) ), bp_get_members_directory_permalink() );
    182                     $new_values[] = '<a href="' . $search_url . '" rel="nofollow">' . esc_html( $value ) . '</a>';
     183                    $new_values[] = '<a href="' . $search_url . '" rel="nofollow">' . $value . '</a>';
    183184                }
    184185            }
Note: See TracChangeset for help on using the changeset viewer.