Context Navigation

← Previous Change
Next Change →

bp-activity-functions.php

Timestamp:

10/23/2013 06:47:16 PM (11 years ago)

Author:

boonebgorges

Message:

Sanitize more gently in component *_update_meta() functions

Previous sanitization techniques resulted in double-sanitization. Recent
changes in how WP's SQL sanitization routines work have surfaced this problem,
in particular as regards line breaks. By removing the extraneous call to
esc_sql(), we ensure that line breaks are preserved, and sanitization is left
to $wpdb->prepare().

Change applied in update_meta() functions through bp-groups, bp-activity, and
bp-xprofile. Also adds corresponding unit tests.

Fixes #5180

File:

: 1 edited

trunk/bp-activity/bp-activity-functions.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/bp-activity/bp-activity-functions.php

-                      r7448
+                      r7469
     // Sanitize value
+    if ( is_string( $meta_value ) )
+        $meta_value = stripslashes( esc_sql( $meta_value ) );
+    if ( is_string( $meta_value ) ) {
+        $meta_value = stripslashes( $meta_value );
+    }
     // Maybe, just maybe... serialize

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

BuddyPress.org

Context Navigation

Changeset 7469 for trunk/bp-activity/bp-activity-functions.php

Legend:

trunk/bp-activity/bp-activity-functions.php

Download in other formats: