Skip to:
Content

BuddyPress.org

Changeset 9411


Ignore:
Timestamp:
01/29/2015 03:40:09 PM (11 years ago)
Author:
johnjamesjacoby
Message:

Use bp_sanitize_pagination_arg() in BP_Activity_Template and include related tests. This prevents pagination values from being overridden outside of anticipated boundaries. Props boonebgorges. See #5796.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/bp-activity/bp-activity-template.php

    r9406 r9411  
    215215        extract( $r );
    216216
    217         $this->pag_arg  = $r['page_arg'];
    218         $this->pag_page = isset( $_REQUEST[ $this->pag_arg ] ) ? intval( $_REQUEST[ $this->pag_arg ] ) : $page;
    219         $this->pag_num  = isset( $_REQUEST['num'] ) ? intval( $_REQUEST['num'] ) : $per_page;
     217        $this->pag_arg  = sanitize_key( $r['page_arg'] );
     218        $this->pag_page = bp_sanitize_pagination_arg( $this->pag_arg, $r['page']     );
     219        $this->pag_num  = bp_sanitize_pagination_arg( 'num',          $r['per_page'] );
    220220
    221221        // Check if blog/forum replies are disabled

  • trunk/tests/phpunit/testcases/activity/template.php

    r9405 r9411  
    13981398        $this->assertEquals( $ids, array( $a1 ) );
    13991399    }
     1400
     1401    /**
     1402     * @group BP_Activity_Template
     1403     */
     1404    public function test_bp_activity_template_should_give_precedence_to_acpage_URL_param() {
     1405        $request = $_REQUEST;
     1406        $_REQUEST['acpage'] = '5';
     1407
     1408        $at = new BP_Activity_Template( array(
     1409            'page' => 8,
     1410        ) );
     1411
     1412        $this->assertEquals( 5, $at->pag_page );
     1413
     1414        $_REQUEST = $request;
     1415    }
     1416
     1417    /**
     1418     * @group BP_Activity_Template
     1419     */
     1420    public function test_bp_activity_template_should_reset_0_pag_page_URL_param_to_default_pag_page_value() {
     1421        $request = $_REQUEST;
     1422        $_REQUEST['acpage'] = '0';
     1423
     1424        $at = new BP_Activity_Template( array(
     1425            'page' => 8,
     1426        ) );
     1427
     1428        $this->assertEquals( 8, $at->pag_page );
     1429
     1430        $_REQUEST = $request;
     1431    }
     1432
     1433    /**
     1434     * @group BP_Activity_Template
     1435     */
     1436    public function test_bp_activity_template_should_give_precedence_to_num_URL_param() {
     1437        $request = $_REQUEST;
     1438        $_REQUEST['num'] = '14';
     1439
     1440        $at = new BP_Activity_Template( array(
     1441            'per_page' => 13,
     1442        ) );
     1443
     1444        $this->assertEquals( 14, $at->pag_num );
     1445
     1446        $_REQUEST = $request;
     1447    }
     1448
     1449    /**
     1450     * @group BP_Activity_Template
     1451     */
     1452    public function test_bp_activity_template_should_reset_0_pag_num_URL_param_to_default_pag_num_value() {
     1453        $request = $_REQUEST;
     1454        $_REQUEST['num'] = '0';
     1455
     1456        $at = new BP_Activity_Template( array(
     1457            'per_page' => 13,
     1458        ) );
     1459
     1460        $this->assertEquals( 13, $at->pag_num );
     1461
     1462        $_REQUEST = $request;
     1463    }
    14001464}
Note: See TracChangeset for help on using the changeset viewer.