Skip to:
Content

BuddyPress.org

Changeset 7258


Ignore:
Timestamp:
07/09/2013 08:56:08 PM (11 years ago)
Author:
boonebgorges
Message:

Improved sanitization when outputting template_notice messages

  • Strip slashes from cookie contents before attempting to display
  • Use kses for sanitization of message content

Props nacin

Location:
branches/1.7/bp-core
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/1.7/bp-core/bp-core-filters.php

    r7025 r7258  
    5252add_filter( 'bp_core_render_message_content', 'wpautop'           );
    5353add_filter( 'bp_core_render_message_content', 'shortcode_unautop' );
     54add_filter( 'bp_core_render_message_content', 'wp_kses_data', 5   );
    5455
    5556/**
  • branches/1.7/bp-core/bp-core-functions.php

    r7254 r7258  
    360360
    361361    if ( empty( $bp->template_message ) && isset( $_COOKIE['bp-message'] ) )
    362         $bp->template_message = $_COOKIE['bp-message'];
     362        $bp->template_message = stripslashes( $_COOKIE['bp-message'] );
    363363
    364364    if ( empty( $bp->template_message_type ) && isset( $_COOKIE['bp-message-type'] ) )
    365         $bp->template_message_type = $_COOKIE['bp-message-type'];
     365        $bp->template_message_type = stripslashes( $_COOKIE['bp-message-type'] );
    366366
    367367    add_action( 'template_notices', 'bp_core_render_message' );
Note: See TracChangeset for help on using the changeset viewer.