Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
04/07/2015 12:54:07 AM (10 years ago)
Author:
boonebgorges
Message:

Improve parameter sanitization in xprofile_insert_field().

The overzealous empty() checks meant that it was impossible to set certain
values on existing fields to falsey values.

Fixes #6354.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-xprofile/bp-xprofile-functions.php

    r9710 r9711  
    231231        'is_default_option' => false,
    232232        'option_order' => null,
     233        'field_order' => null,
    233234    ) );
    234235
     
    238239    }
    239240
    240     // Check this is a valid field type
     241    // Check this is a non-empty, valid field type.
    241242    if ( ! in_array( $r['type'], (array) buddypress()->profile->field_types ) ) {
    242243        return false;
     
    251252
    252253    $field->group_id = $r['field_group_id'];
    253 
    254     if ( ! empty( $r['parent_id'] ) ) {
    255         $field->parent_id = $r['parent_id'];
    256     }
    257 
    258     if ( ! empty( $r['type'] ) ) {
    259         $field->type = $r['type'];
    260     }
    261 
     254    $field->type     = $r['type'];
     255
     256    // The 'name' field cannot be empty.
    262257    if ( ! empty( $r['name'] ) ) {
    263258        $field->name = $r['name'];
    264259    }
    265260
    266     if ( ! empty( $r['description'] ) ) {
    267         $field->description = $r['description'];
    268     }
    269 
    270     if ( ! empty( $r['is_required'] ) ) {
    271         $field->is_required = $r['is_required'];
    272     }
    273 
    274     if ( ! empty( $r['can_delete'] ) ) {
    275         $field->can_delete = $r['can_delete'];
    276     }
    277 
    278     if ( ! empty( $r['field_order'] ) ) {
    279         $field->field_order = $r['field_order'];
    280     }
    281 
    282     if ( ! empty( $r['order_by'] ) ) {
    283         $field->order_by = $r['order_by'];
    284     }
    285 
     261    $field->description       = $r['description'];
     262    $field->order_by          = $r['order_by'];
     263    $field->parent_id         = (int) $r['parent_id'];
     264    $field->field_order       = (int) $r['field_order'];
     265    $field->option_order      = (int) $r['option_order'];
     266    $field->is_required       = (bool) $r['is_required'];
     267    $field->can_delete        = (bool) $r['can_delete'];
    286268    $field->is_default_option = (bool) $r['is_default_option'];
    287 
    288     if ( ! empty( $r['option_order'] ) ) {
    289         $field->option_order = $r['option_order'];
    290     }
    291269
    292270    return $field->save();
Note: See TracChangeset for help on using the changeset viewer.