Changeset 7469 for trunk/bp-groups/bp-groups-functions.php

Timestamp:

10/23/2013 06:47:16 PM (11 years ago)

Author:

boonebgorges

Message:

Sanitize more gently in component *_update_meta() functions

Previous sanitization techniques resulted in double-sanitization. Recent
changes in how WP's SQL sanitization routines work have surfaced this problem,
in particular as regards line breaks. By removing the extraneous call to
esc_sql(), we ensure that line breaks are preserved, and sanitization is left
to $wpdb->prepare().

Change applied in update_meta() functions through bp-groups, bp-activity, and
bp-xprofile. Also adds corresponding unit tests.

Fixes #5180

File:

• trunk/bp-groups/bp-groups-functions.php (modified) (1 diff)

trunk/bp-groups/bp-groups-functions.php

@@ -1056 +1056 @@
     $meta_key = preg_replace( '|[^a-z0-9_]|i', '', $meta_key );
 
-    if ( is_string( $meta_value ) )
-        $meta_value = stripslashes( esc_sql( $meta_value ) );
+    if ( is_string( $meta_value ) ) {
+        $meta_value = stripslashes( $meta_value );
+    }
 
     $meta_value = maybe_serialize( $meta_value );