Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
04/02/2015 12:51:51 AM (5 years ago)
Author:
johnjamesjacoby
Message:

XProfile: Move field save() sanitization into filters for consistency between save method & saving via the admin UI. See #6340.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-xprofile/bp-xprofile-admin.php

    r9678 r9681  
    327327    if ( isset( $_POST['saveField'] ) ) {
    328328        if ( BP_XProfile_Field::admin_validate() ) {
    329             $field->name        = wp_filter_kses( $_POST['title'] );
    330             $field->description = !empty( $_POST['description'] ) ? wp_filter_kses( $_POST['description'] ) : '';
    331             $field->is_required = wp_filter_kses( $_POST['required'] );
    332             $field->type        = wp_filter_kses( $_POST['fieldtype'] );
    333 
    334             if ( !empty( $_POST["sort_order_{$field->type}"] ) ) {
    335                 $field->order_by = wp_filter_kses( $_POST["sort_order_{$field->type}"] );
     329            $field->is_required = $_POST['required'];
     330            $field->type        = $_POST['fieldtype'];
     331            $field->name        = $_POST['title'];
     332
     333            if ( ! empty( $_POST['description'] ) ) {
     334                $field->description = $_POST['description'];
     335            } else {
     336                $field->description = '';
     337            }
     338
     339            if ( ! empty( $_POST["sort_order_{$field->type}"] ) ) {
     340                $field->order_by = $_POST["sort_order_{$field->type}"];
    336341            }
    337342
    338343            $field->field_order = $wpdb->get_var( $wpdb->prepare( "SELECT field_order FROM {$bp->profile->table_name_fields} WHERE id = %d", $field_id ) );
    339 
    340             if ( !$field->field_order ) {
     344            if ( empty( $field->field_order ) || is_wp_error( $field->field_order ) ) {
    341345                $field->field_order = (int) $wpdb->get_var( $wpdb->prepare( "SELECT max(field_order) FROM {$bp->profile->table_name_fields} WHERE group_id = %d", $group_id ) );
    342346                $field->field_order++;
    343347            }
    344348
    345             // For new profile fields, set the $field_id. For existing profile fields,
    346             // this will overwrite $field_id with the same value.
     349            // For new profile fields, set the $field_id. For existing profile
     350            // fields, this will overwrite $field_id with the same value.
    347351            $field_id = $field->save();
    348352
    349             if ( !$field_id ) {
     353            if ( empty( $field_id ) ) {
    350354                $message = __( 'There was an error saving the field. Please try again.', 'buddypress' );
    351                 $type = 'error';
    352 
    353                 unset( $_GET['mode'] );
    354 
    355                 xprofile_admin( $message, $type );
     355                $type    = 'error';
    356356            } else {
    357357                $message = __( 'The field was saved successfully.', 'buddypress' );
    358                 $type = 'success';
    359 
     358                $type    = 'success';
     359
     360                // @todo remove these old options
    360361                if ( 1 == $field_id ) {
    361362                    bp_update_option( 'bp-xprofile-fullname-field-name', $field->name );
    362363                }
    363364
    364                 if ( !empty( $_POST['default-visibility'] ) ) {
     365                if ( ! empty( $_POST['default-visibility'] ) ) {
    365366                    bp_xprofile_update_field_meta( $field_id, 'default_visibility', $_POST['default-visibility'] );
    366367                }
    367368
    368                 if ( !empty( $_POST['allow-custom-visibility'] ) ) {
     369                if ( ! empty( $_POST['allow-custom-visibility'] ) ) {
    369370                    bp_xprofile_update_field_meta( $field_id, 'allow_custom_visibility', $_POST['allow-custom-visibility'] );
    370371                }
    371 
    372                 unset( $_GET['mode'] );
    373372
    374373                /**
     
    382381
    383382                $groups = bp_xprofile_get_groups();
    384                 xprofile_admin( $message, $type );
    385             }
     383            }
     384
     385            unset( $_GET['mode'] );
     386
     387            xprofile_admin( $message, $type );
     388
    386389        } else {
    387390            $field->render_admin_form( $message );
     
    818821            foreach ( (array) $posted_field_ids as $field_id ) {
    819822
    820                 // Certain types of fields (checkboxes, multiselects) may come through empty. Save them as an empty array so that they don't get overwritten by the default on the next edit.
     823                // Certain types of fields (checkboxes, multiselects) may come
     824                // through empty. Save them as an empty array so that they don't
     825                // get overwritten by the default on the next edit.
    821826                $value = isset( $_POST['field_' . $field_id] ) ? $_POST['field_' . $field_id] : '';
    822827
Note: See TracChangeset for help on using the changeset viewer.