Skip to:
Content

BuddyPress.org

Opened 15 years ago

Closed 14 years ago

#2009 closed defect (bug) (fixed)

Tags in group name makes group inaccessible

Reported by: ezd's profile Ezd Owned by: sushkov's profile sushkov
Milestone: 1.2.4 Priority: normal
Severity: Version:
Component: Core Keywords: has-patch, needs-testing
Cc: stas@…

Description

There's a problem if you use "?" in your groupname.

The group will not be accessible and the url will look something like this:

http://domain.com/groups//

Confirmed this on a clean install of 1.2 final.

Attachments (1)

bp_2009_stas.diff (1.2 KB) - added by sushkov 15 years ago.
previous was using php5 function

Download all attachments as: .zip

Change History (15)

#1 @Ezd
15 years ago

  • Summary changed from "?" tag in group name makes group inaccessible to Tags in group name makes group inaccessible

Update:

The same problem happens with other tags as well. Just tested using:

  • ++

Note: There might be alot more tags that makes the group inaccessible!

#2 @Ezd
15 years ago

and "" tags.

#3 @Ezd
15 years ago

Look at the url vs. group name of this group too: http://testbp.org/groups/любители-летать/

#4 @cnorris23
15 years ago

  • Keywords needs-patch added

Related: #1974

#5 @DJPaul
15 years ago

  • Component set to Core
  • Milestone changed from 1.3 to 1.2.4
  • Priority changed from major to normal

Please can we see if this can be checked for 1.2.4?

#6 @johnjamesjacoby
15 years ago

The function is:

bp_get_group_name

Which is filtered by:

wptexturize, convert_chars, wp_filter_kses, stripslashes

I've tested this on WordPress trunk and it seems to work fine. Maybe there were changes to one of the filter functions that was causing the problem?

#7 @johnjamesjacoby
15 years ago

bp_get_group_description and bp_get_group_description_excerpt suffer the same fate, and also seem to work fine on WP trunk.

Windows 7 IIS7, if that matters.

#8 @johnjamesjacoby
15 years ago

Does anyone know what the accepted standard is for mixed language URL's? Does it even matter?

As a test I made a blog post named "любители-летать" and WordPress handled it without a hiccup; the URL and titles and everything.

#9 @sushkov
15 years ago

  • Cc stas@… added

No I don't think it matters since there are Cyrillic/East European characters in some domain names.

I created a group with the name "любители летать" in buddypress and there was no problem with that. The problem was when creating groups with <oOoOoOoOoO(°_°), and I think the best here would be to sanitize on creation of groups names that contain special characters like <. Creating a group with oooooooooo(°_°) results into this slug:
http://localhost/groups/oooooooooo°_°/
(no parenthesis). Same should be done with <,>.

#10 @apeatling
15 years ago

The group slug is passed through sanitize_title().

#11 @sushkov
15 years ago

  • Keywords has-patch needs-testing added; needs-patch removed
  • Owner set to sushkov
  • Status changed from new to assigned

Not sure if it's allowed to use PHP5 functions, but sanitizing $_POST['group-name'] before applying sanitize_title() does the trick.

#12 @cnorris23
15 years ago

As apeatling stated, the slug is passed through sanitize_title(). The problem with "<oOoOoOoOoO(°_°)", and Edz's original example of "?", is a reflection of the limitations of sanitize_title() (more specifically PHP's strip_tags()). It's liberally designed to strip HTML and PHP tags, which is why "?" is stripped out. In the case of "<oOoOoOoOoO(°_°)", the issue is that there's no closing bracket. If you changed "<oOoOoOoOoO(°_°)" to "<o>OoOoOoOoO(°_°)", "o" within the brackets, and the brackets themselves, would be removed, but the rest would remain. WP utilizes the $fallback_title parameter of sanitize_title() to account for this scenario. WP uses the post_id as the fallback title, and BP could, respectively, use group_id.

#13 @sushkov
15 years ago

Yes I agree, and using same approach as wp handles it is a solution, but using the id as a slug won't confuse if somebody want's to create a group with the same title as existent ID, though I know BP handles duplicate slugs by adding random numbers to it?

@sushkov
15 years ago

previous was using php5 function

#14 @apeatling
14 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [3012]) Fixes #2009 props sushkov

Note: See TracTickets for help on using tickets.