Skip to:
Content

BuddyPress.org

Opened 14 years ago

Closed 14 years ago

Last modified 14 years ago

#2603 closed defect (bug) (fixed)

[patch] has-xprofile field values aren't sanitised in database

Reported by: djpaul's profile DJPaul Owned by: djpaul's profile DJPaul
Milestone: 1.2.6 Priority: blocker
Severity: Version:
Component: Extended Profile Keywords: has-patch, dev-feedback
Cc:

Description

Attachments (3)

pgibbs.patch (1.0 KB) - added by DJPaul 14 years ago.
pgibbs2.patch (3.4 KB) - added by DJPaul 14 years ago.
pgibbs3.patch (3.4 KB) - added by DJPaul 14 years ago.

Download all attachments as: .zip

Change History (18)

@DJPaul
14 years ago

#1 @DJPaul
14 years ago

Hmm, upon testing this, I see we have issues if anything other than a text field is stored. Should we special-case the appropriate text field types and call the filter for those cases?

#2 @boonebgorges
14 years ago

That seems like the easiest solution for now. It's a pretty important security fix so easier might be best.

#3 @johnjamesjacoby
14 years ago

  • Priority changed from normal to blocker

Holding off on 1.2.6 to get this in. First person to patch this gets cake.

#4 @DJPaul
14 years ago

  • Owner set to DJPaul
  • Status changed from new to assigned

@DJPaul
14 years ago

#5 @DJPaul
14 years ago

pgibbs2.patch needs more testing around dropdown boxes, multiselect boxes, checkbox and radio buttons

@DJPaul
14 years ago

#6 @DJPaul
14 years ago

pgibbs3.patch removes & as this breaks on PHP5.3.

#7 @jeffsayre
14 years ago

I would also pass textual data through the sanitize_text_field filter added in WP 2.9.0. See function sanitize_text_field() on line 2795 of /wp-includes/formatting.php

#8 @paulhastings0
14 years ago

  • Summary changed from xprofile field values aren't sanitised in database to [patch]has-xprofile field values aren't sanitised in database

#9 @paulhastings0
14 years ago

  • Summary changed from [patch]has-xprofile field values aren't sanitised in database to [patch] has-xprofile field values aren't sanitised in database

#10 @DJPaul
14 years ago

sanitize_text_field is a new one to me. We don't use it anywhere else in BuddyPress... yet? Separate patch to cover all text fields/inputs?

#11 @jeffsayre
14 years ago

Yes, I think a separate patch would be fine. Or, if you've come up with a final solution to this ticket, you could just do a single big patch.

#12 @johnjamesjacoby
14 years ago

Makes sense to use sanitize_text_field for this. The problem will still arise with textareas though. There are plenty of those in WP core to mirror how they are sanitized. With all of the fields in BP, it may be a good idea for 1.3 to have our own sanitization API for user facing fields.

#13 @DJPaul
14 years ago

  • Keywords dev-feedback added

sanitize_text_field calls wp_strip_all_tags. Currently, BP allows wp_filter_kses filtered tags in text boxes/areas, and displays those on both view/edit screens.
For textareas, WP only calls wp_filter_kses.

Therefore, it seems that BP is okay for textareas as we already uses kses. Removing tags from textbox xProfile fields could be considered a substantial change in behaviour?

#14 @johnjamesjacoby
14 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [3248]) xProfile filter clean-up(1.2 branch). Fixes #2603. Props Paul Gibbs, mariochampion.

#15 @johnjamesjacoby
14 years ago

(In [3252]) Fixes #2603 (trunk)

Note: See TracTickets for help on using tickets.