Changeset 9346

Timestamp:

01/12/2015 12:51:41 AM (10 years ago)

Author:

johnjamesjacoby

Message:

Use sanitize_key() in bp_get/post_request() functions, to ensure $action is properly formatted.

File:

• trunk/src/bp-core/bp-core-dependency.php (modified) (2 diffs)

trunk/src/bp-core/bp-core-dependency.php

@@ -376 +376 @@
 
     // Bail if not a POST action
-    if ( ! bp_is_post_request() )
+    if ( ! bp_is_post_request() ) {
         return;
+    }
 
     // Bail if no action
-    if ( empty( $_POST['action'] ) )
+    if ( empty( $_POST['action'] ) ) {
         return;
+    }
+
+    // Sanitize the POST action
+    $action = sanitize_key( $_POST['action'] );
 
     // This dynamic action is probably the one you want to use. It narrows down
     // the scope of the 'action' without needing to check it in your function.
-    do_action( 'bp_post_request_' . $_POST['action'] );
+    do_action( 'bp_post_request_' . $action );
 
     // Use this static action if you don't mind checking the 'action' yourself.
-    do_action( 'bp_post_request',   $_POST['action'] );
+    do_action( 'bp_post_request',   $action );
 }
 
@@ -400 +405 @@
 
     // Bail if not a POST action
-    if ( ! bp_is_get_request() )
+    if ( ! bp_is_get_request() ) {
         return;
+    }
 
     // Bail if no action
-    if ( empty( $_GET['action'] ) )
+    if ( empty( $_GET['action'] ) ) {
         return;
+    }
+
+    // Sanitize the GET action
+    $action = sanitize_key( $_GET['action'] );
 
     // This dynamic action is probably the one you want to use. It narrows down
     // the scope of the 'action' without needing to check it in your function.
-    do_action( 'bp_get_request_' . $_GET['action'] );
+    do_action( 'bp_get_request_' . $action );
 
     // Use this static action if you don't mind checking the 'action' yourself.
-    do_action( 'bp_get_request',   $_GET['action'] );
-}
+    do_action( 'bp_get_request',   $action );
+}