Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
05/19/2015 05:02:11 PM (10 years ago)
Author:
johnjamesjacoby
Message:

XProfile: Improve field validation in BP_Profile_Field::admin_validate().

  • Break inline conditions apart into multiple specific ones to improve logical flow of field validation
  • Introduce more helpful $message feedback for each new condition, including the field-type name where possible
  • Replace empty() checks with ! isset() to allow "0" values as names and options
  • Remove field_file check, as the "file" field type was removed when avatar uploads were refactored in 1.0
  • Much more appropriate field-option validation using sanitize_text_field to
  • Properly escape gettext output
  • Tests introduced in r9878

See #6443.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-xprofile/classes/class-bp-xprofile-field.php

    r9819 r9879  
    589589        global $message;
    590590
    591         // Validate Form
    592         if ( empty( $_POST['title'] ) || ! isset( $_POST['required'] ) || empty( $_POST['fieldtype'] ) ) {
    593             $message = __( 'Please make sure you fill out all required fields.', 'buddypress' );
     591        // Check field name
     592        if ( ! isset( $_POST['title'] ) || ( '' === $_POST['title'] ) ) {
     593            $message = esc_html__( 'Profile fields must have a name.', 'buddypress' );
    594594            return false;
    595 
    596         } elseif ( empty( $_POST['field_file'] ) ) {
    597             $field_type  = bp_xprofile_create_field_type( $_POST['fieldtype'] );
    598             $option_name = "{$_POST['fieldtype']}_option";
    599 
    600             if ( ! empty( $field_type->supports_options ) && isset( $_POST[ $option_name ] ) && empty( $_POST[ $option_name ][1] ) ) {
    601                 $message = __( 'This field type requires at least one option. Please add options below.', 'buddypress' );
     595        }
     596
     597        // Check field requirement
     598        if ( ! isset( $_POST['required'] ) ) {
     599            $message = esc_html__( 'Profile field requirement is missing.', 'buddypress' );
     600            return false;
     601        }
     602
     603        // Check field type
     604        if ( empty( $_POST['fieldtype'] ) ) {
     605            $message = esc_html__( 'Profile field type is missing.', 'buddypress' );
     606            return false;
     607        }
     608
     609        // Check that field is of valid type
     610        if ( ! in_array( $_POST['fieldtype'], array_keys( bp_xprofile_get_field_types() ), true ) ) {
     611            $message = sprintf( esc_html__( 'The profile field type %s is not registered.', 'buddypress' ), '<code>' . esc_attr( $_POST['fieldtype'] ) . '</code>' );
     612            return false;
     613        }
     614
     615        // Get field type so we can check for and lavidate any field options
     616        $field_type = bp_xprofile_create_field_type( $_POST['fieldtype'] );
     617
     618        // Field type requires options
     619        if ( true === $field_type->supports_options ) {
     620
     621            // Build the field option key
     622            $option_name = sanitize_key( $_POST['fieldtype'] ) . '_option';
     623
     624            // Check for missing or malformed options
     625            if ( empty( $_POST[ $option_name ] ) || ! is_array( $_POST[ $option_name ] ) ) {
     626                $message = esc_html__( 'These field options are invalid.', 'buddypress' );
     627                return false;
     628            }
     629
     630            // Trim out empty field options
     631            $field_values  = array_values( $_POST[ $option_name ] );
     632            $field_options = array_map( 'sanitize_text_field', $field_values );
     633            $field_count   = count( $field_options );
     634
     635            // Check for missing or malformed options
     636            if ( 0 === $field_count ) {
     637                $message = sprintf( esc_html__( '%s require at least one option.', 'buddypress' ), $field_type->name );
     638                return false;
     639            }
     640
     641            // If only one option exists, it cannot be an empty string
     642            if ( ( 1 === $field_count ) && ( '' === $field_options[0] ) ) {
     643                $message = sprintf( esc_html__( '%s require at least one option.', 'buddypress' ), $field_type->name );
    602644                return false;
    603645            }
Note: See TracChangeset for help on using the changeset viewer.