Skip to:
Content

BuddyPress.org

Changeset 7349


Ignore:
Timestamp:
08/12/2013 10:53:30 PM (11 years ago)
Author:
johnjamesjacoby
Message:

Use esc_url() where esc_attr() was incorrectly used in activity/blogs/groups components. Also escape $link when it's fed into bp_activity_thumbnail_content_images() directly.

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/bp-activity/bp-activity-functions.php

    r7338 r7349  
    15251525 *
    15261526 * @param string $content The content to work with
    1527  * @param string $link Optional. The URL that the image should link to
     1527 * @param string $link Optional. The unescaped URL that the image should link to
    15281528 * @param array $activity_args Optional. The args passed to the activity
    15291529 *   creation function (eg bp_blogs_record_activity())
     
    15621562            $new_height = (int) $height >= 100 ? 100 : $height;
    15631563            $new_width  = $new_height * $ratio;
    1564 
    1565             $image = '<img src="' . esc_attr( $src ) . '" width="' . $new_width . '" height="' . $new_height . '" alt="' . __( 'Thumbnail', 'buddypress' ) . '" class="align-left thumbnail" />';
     1564            $image      = '<img src="' . esc_url( $src ) . '" width="' . absint( $new_width ) . '" height="' . absint( $new_height ) . '" alt="' . __( 'Thumbnail', 'buddypress' ) . '" class="align-left thumbnail" />';
    15661565
    15671566            if ( !empty( $link ) ) {
    1568                 $image = '<a href="' . $link . '">' . $image . '</a>';
     1567                $image = '<a href="' . esc_url( $link ) . '">' . $image . '</a>';
    15691568            }
    15701569
  • trunk/bp-blogs/bp-blogs-functions.php

    r7338 r7349  
    361361        // Get activity related links
    362362        $post_permalink = get_permalink( $recorded_comment->comment_post_ID );
    363         $comment_link   = htmlspecialchars( get_comment_link( $recorded_comment->comment_ID ) );
     363        $comment_link   = get_comment_link( $recorded_comment->comment_ID );
    364364
    365365        // Prepare to record in activity streams
  • trunk/bp-groups/bp-groups-template.php

    r7339 r7349  
    522522        /* Fetch the avatar from the folder, if not provide backwards compat. */
    523523        if ( !$avatar = bp_core_fetch_avatar( array( 'item_id' => $groups_template->group->id, 'object' => 'group', 'type' => $type, 'avatar_dir' => 'group-avatars', 'alt' => $alt, 'css_id' => $id, 'class' => $class, 'width' => $width, 'height' => $height, 'title' => $groups_template->group->name, 'alt' => $alt ) ) )
    524             $avatar = '<img src="' . esc_attr( $groups_template->group->avatar_thumb ) . '" class="avatar" alt="' . esc_attr( $groups_template->group->name ) . '" />';
     524            $avatar = '<img src="' . esc_url( $groups_template->group->avatar_thumb ) . '" class="avatar" alt="' . esc_attr( $groups_template->group->name ) . '" />';
    525525
    526526        return apply_filters( 'bp_get_group_avatar', $avatar );
     
    26052605    if ( $bp->groups->current_group->avatar_full ) { ?>
    26062606
    2607         <img src="<?php echo esc_attr( $bp->groups->current_group->avatar_full ) ?>" alt="<?php _e( 'Group Avatar', 'buddypress' ) ?>" class="avatar" />
     2607        <img src="<?php echo esc_url( $bp->groups->current_group->avatar_full ); ?>" alt="<?php _e( 'Group Avatar', 'buddypress' ) ?>" class="avatar" />
    26082608
    26092609    <?php } else { ?>
    26102610
    2611         <img src="<?php echo $bp->groups->image_base . '/none.gif' ?>" alt="<?php _e( 'No Group Avatar', 'buddypress' ) ?>" class="avatar" />
     2611        <img src="<?php echo esc_url( $bp->groups->image_base . '/none.gif' ); ?>" alt="<?php _e( 'No Group Avatar', 'buddypress' ) ?>" class="avatar" />
    26122612
    26132613    <?php }
Note: See TracChangeset for help on using the changeset viewer.