Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
01/29/2015 04:30:16 PM (10 years ago)
Author:
johnjamesjacoby
Message:

Use bp_sanitize_pagination_arg() in BP_Notifications_Template and include related tests. This prevents pagination values from being overridden outside of anticipated boundaries. See #5796.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-notifications/bp-notifications-template.php

    r9352 r9414  
    283283        // Overrides
    284284
    285         // Set which pagination page
    286         if ( isset( $_GET[ $r['page_arg'] ] ) ) {
    287             $r['page'] = intval( $_GET[ $r['page_arg'] ] );
    288         }
    289 
    290         // Set the number to show per page
    291         if ( isset( $_GET['num'] ) ) {
    292             $r['per_page'] = intval( $_GET['num'] );
    293         } else {
    294             $r['per_page'] = intval( $r['per_page'] );
    295         }
    296 
    297285        // Sort order direction
    298286        $orders = array( 'ASC', 'DESC' );
     
    304292
    305293        // Setup variables
    306         $this->pag_page     = $r['page'];
    307         $this->pag_num      = $r['per_page'];
     294        $this->pag_arg      = sanitize_key( $r['page_arg'] );
     295        $this->pag_page     = bp_sanitize_pagination_arg( $this->pag_arg, $r['page']     );
     296        $this->pag_num      = bp_sanitize_pagination_arg( 'num',          $r['per_page'] );
    308297        $this->user_id      = $r['user_id'];
    309298        $this->is_new       = $r['is_new'];
    310299        $this->search_terms = $r['search_terms'];
    311         $this->page_arg     = $r['page_arg'];
    312300        $this->order_by     = $r['order_by'];
    313301        $this->sort_order   = $r['sort_order'];
     
    339327
    340328            $this->pag_links = paginate_links( array(
    341                 'base'      => add_query_arg( $this->page_arg, '%#%' ),
     329                'base'      => add_query_arg( $this->pag_arg, '%#%' ),
    342330                'format'    => '',
    343331                'total'     => ceil( (int) $this->total_notification_count / (int) $this->pag_num ),
Note: See TracChangeset for help on using the changeset viewer.