Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
10/23/2013 06:47:16 PM (11 years ago)
Author:
boonebgorges
Message:

Sanitize more gently in component *_update_meta() functions

Previous sanitization techniques resulted in double-sanitization. Recent
changes in how WP's SQL sanitization routines work have surfaced this problem,
in particular as regards line breaks. By removing the extraneous call to
esc_sql(), we ensure that line breaks are preserved, and sanitization is left
to $wpdb->prepare().

Change applied in update_meta() functions through bp-groups, bp-activity, and
bp-xprofile. Also adds corresponding unit tests.

Fixes #5180

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/bp-xprofile/bp-xprofile-functions.php

    r7365 r7469  
    589589    $meta_key = preg_replace( '|[^a-z0-9_]|i', '', $meta_key );
    590590
    591     if ( is_string( $meta_value ) )
    592         $meta_value = stripslashes( esc_sql( $meta_value ) );
     591    if ( is_string( $meta_value ) ) {
     592        $meta_value = stripslashes( $meta_value );
     593    }
    593594
    594595    $meta_value = maybe_serialize( $meta_value );
Note: See TracChangeset for help on using the changeset viewer.