Skip to:
Content

BuddyPress.org

Changeset 9346


Ignore:
Timestamp:
01/12/2015 12:51:41 AM (6 years ago)
Author:
johnjamesjacoby
Message:

Use sanitize_key() in bp_get/post_request() functions, to ensure $action is properly formatted.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-core/bp-core-dependency.php

    r9314 r9346  
    376376
    377377    // Bail if not a POST action
    378     if ( ! bp_is_post_request() )
     378    if ( ! bp_is_post_request() ) {
    379379        return;
     380    }
    380381
    381382    // Bail if no action
    382     if ( empty( $_POST['action'] ) )
     383    if ( empty( $_POST['action'] ) ) {
    383384        return;
     385    }
     386
     387    // Sanitize the POST action
     388    $action = sanitize_key( $_POST['action'] );
    384389
    385390    // This dynamic action is probably the one you want to use. It narrows down
    386391    // the scope of the 'action' without needing to check it in your function.
    387     do_action( 'bp_post_request_' . $_POST['action'] );
     392    do_action( 'bp_post_request_' . $action );
    388393
    389394    // Use this static action if you don't mind checking the 'action' yourself.
    390     do_action( 'bp_post_request',   $_POST['action'] );
     395    do_action( 'bp_post_request',   $action );
    391396}
    392397
     
    400405
    401406    // Bail if not a POST action
    402     if ( ! bp_is_get_request() )
     407    if ( ! bp_is_get_request() ) {
    403408        return;
     409    }
    404410
    405411    // Bail if no action
    406     if ( empty( $_GET['action'] ) )
     412    if ( empty( $_GET['action'] ) ) {
    407413        return;
     414    }
     415
     416    // Sanitize the GET action
     417    $action = sanitize_key( $_GET['action'] );
    408418
    409419    // This dynamic action is probably the one you want to use. It narrows down
    410420    // the scope of the 'action' without needing to check it in your function.
    411     do_action( 'bp_get_request_' . $_GET['action'] );
     421    do_action( 'bp_get_request_' . $action );
    412422
    413423    // Use this static action if you don't mind checking the 'action' yourself.
    414     do_action( 'bp_get_request',   $_GET['action'] );
    415 }
     424    do_action( 'bp_get_request',   $action );
     425}
Note: See TracChangeset for help on using the changeset viewer.