Changeset 9412 for trunk/src/bp-members/bp-members-template.php

Timestamp:

01/29/2015 04:22:02 PM (11 years ago)

Author:

johnjamesjacoby

Message:

Use bp_sanitize_pagination_arg() in BP_Core_Members_Template and include related tests. This prevents pagination values from being overridden outside of anticipated boundaries. See #5796.

File:

• trunk/src/bp-members/bp-members-template.php (modified) (3 diffs)

trunk/src/bp-members/bp-members-template.php

@@ -222 +222 @@
      */
     var $in_the_loop;
+
+    /**
+     * The unique string used for pagination queries
+     *
+     * @access public
+     * @var public
+     */
+    var $pag_arg;
 
     /**
@@ -277 +285 @@
     function __construct( $type, $page_number, $per_page, $max, $user_id, $search_terms, $include, $populate_extras, $exclude, $meta_key, $meta_value, $page_arg = 'upage', $member_type = '' ) {
 
-        $this->pag_page = !empty( $_REQUEST[$page_arg] ) ? intval( $_REQUEST[$page_arg] ) : (int) $page_number;
-        $this->pag_num  = !empty( $_REQUEST['num'] )   ? intval( $_REQUEST['num'] )   : (int) $per_page;
+        $this->pag_arg  = sanitize_key( $page_arg );
+        $this->pag_page = bp_sanitize_pagination_arg( $this->pag_arg, $page_number );
+        $this->pag_num  = bp_sanitize_pagination_arg( 'num',          $per_page    );
         $this->type     = $type;
 
@@ -305 +314 @@
         if ( (int) $this->total_member_count && (int) $this->pag_num ) {
             $pag_args = array(
-                $page_arg => '%#%',
+                $this->pag_arg => '%#%',
             );