Skip to:
Content

BuddyPress.org

Changeset 7469


Ignore:
Timestamp:
10/23/2013 06:47:16 PM (11 years ago)
Author:
boonebgorges
Message:

Sanitize more gently in component *_update_meta() functions

Previous sanitization techniques resulted in double-sanitization. Recent
changes in how WP's SQL sanitization routines work have surfaced this problem,
in particular as regards line breaks. By removing the extraneous call to
esc_sql(), we ensure that line breaks are preserved, and sanitization is left
to $wpdb->prepare().

Change applied in update_meta() functions through bp-groups, bp-activity, and
bp-xprofile. Also adds corresponding unit tests.

Fixes #5180

Location:
trunk
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • trunk/bp-activity/bp-activity-functions.php

    r7448 r7469  
    681681
    682682    // Sanitize value
    683     if ( is_string( $meta_value ) )
    684         $meta_value = stripslashes( esc_sql( $meta_value ) );
     683    if ( is_string( $meta_value ) ) {
     684        $meta_value = stripslashes( $meta_value );
     685    }
    685686
    686687    // Maybe, just maybe... serialize
  • trunk/bp-groups/bp-groups-functions.php

    r7442 r7469  
    10561056    $meta_key = preg_replace( '|[^a-z0-9_]|i', '', $meta_key );
    10571057
    1058     if ( is_string( $meta_value ) )
    1059         $meta_value = stripslashes( esc_sql( $meta_value ) );
     1058    if ( is_string( $meta_value ) ) {
     1059        $meta_value = stripslashes( $meta_value );
     1060    }
    10601061
    10611062    $meta_value = maybe_serialize( $meta_value );
  • trunk/bp-xprofile/bp-xprofile-functions.php

    r7365 r7469  
    589589    $meta_key = preg_replace( '|[^a-z0-9_]|i', '', $meta_key );
    590590
    591     if ( is_string( $meta_value ) )
    592         $meta_value = stripslashes( esc_sql( $meta_value ) );
     591    if ( is_string( $meta_value ) ) {
     592        $meta_value = stripslashes( $meta_value );
     593    }
    593594
    594595    $meta_value = maybe_serialize( $meta_value );
  • trunk/tests/testcases/activity/functions.php

    r7422 r7469  
    8787        $this->assertEquals( false, $m3 );
    8888    }
     89
     90    /**
     91     * @group bp_activity_update_meta
     92     * @ticket BP5180
     93     */
     94    public function test_bp_activity_update_meta_with_line_breaks() {
     95        $a = $this->factory->activity->create();
     96        $meta_value = 'Foo!
     97
     98
     99Bar!';
     100        bp_activity_update_meta( $a, 'linebreak_test', $meta_value );
     101        $this->assertEquals( $meta_value, bp_activity_get_meta( $a, 'linebreak_test' ) );
     102    }
    89103}
  • trunk/tests/testcases/groups/functions.php

    r7182 r7469  
    270270        $this->assertEquals( 1, groups_get_groupmeta( $g, 'total_member_count' ) );
    271271    }
     272
     273    /**
     274     * @group groupmeta
     275     * @ticket BP5180
     276     */
     277    public function test_groups_update_groupmeta_with_line_breaks() {
     278        $g = $this->factory->group->create();
     279        $meta_value = 'Foo!
     280
     281Bar!';
     282        groups_update_groupmeta( $g, 'linebreak_test', $meta_value );
     283
     284        $this->assertEquals( $meta_value, groups_get_groupmeta( $g, 'linebreak_test' ) );
     285    }
    272286}
  • trunk/tests/testcases/xprofile/functions.php

    r7365 r7469  
    6363        $this->set_current_user( $old_current_user );
    6464    }
     65
     66    /**
     67     * @group bp_xprofile_update_meta
     68     * @ticket BP5180
     69     */
     70    public function test_bp_xprofile_update_meta_with_line_breaks() {
     71        $g = $this->factory->xprofile_group->create();
     72        $f = $this->factory->xprofile_field->create( array(
     73            'field_group_id' => $g->id,
     74            'type' => 'textbox',
     75        ) );
     76
     77        $meta_value = 'Foo!
     78
     79Bar!';
     80        bp_xprofile_update_meta( $f->id, 'field', 'linebreak_field', $meta_value );
     81        $this->assertEquals( $meta_value, bp_xprofile_get_meta( $f->id, 'field', 'linebreak_field' ) );
     82    }
    6583}
Note: See TracChangeset for help on using the changeset viewer.