#2603 closed defect (bug) (fixed)
[patch] has-xprofile field values aren't sanitised in database
Reported by: | DJPaul | Owned by: | DJPaul |
---|---|---|---|
Milestone: | 1.2.6 | Priority: | blocker |
Severity: | Version: | ||
Component: | Extended Profile | Keywords: | has-patch, dev-feedback |
Cc: |
Description
From this post, by mariochampion:
Mario's code put into a patch, and attached.
Attachments (3)
Change History (18)
#2
@
14 years ago
That seems like the easiest solution for now. It's a pretty important security fix so easier might be best.
#3
@
14 years ago
- Priority changed from normal to blocker
Holding off on 1.2.6 to get this in. First person to patch this gets cake.
#5
@
14 years ago
pgibbs2.patch needs more testing around dropdown boxes, multiselect boxes, checkbox and radio buttons
#7
@
14 years ago
I would also pass textual data through the sanitize_text_field filter added in WP 2.9.0. See function sanitize_text_field() on line 2795 of /wp-includes/formatting.php
#8
@
14 years ago
- Summary changed from xprofile field values aren't sanitised in database to [patch]has-xprofile field values aren't sanitised in database
#9
@
14 years ago
- Summary changed from [patch]has-xprofile field values aren't sanitised in database to [patch] has-xprofile field values aren't sanitised in database
#10
@
14 years ago
sanitize_text_field is a new one to me. We don't use it anywhere else in BuddyPress... yet? Separate patch to cover all text fields/inputs?
#11
@
14 years ago
Yes, I think a separate patch would be fine. Or, if you've come up with a final solution to this ticket, you could just do a single big patch.
#12
@
14 years ago
Makes sense to use sanitize_text_field for this. The problem will still arise with textareas though. There are plenty of those in WP core to mirror how they are sanitized. With all of the fields in BP, it may be a good idea for 1.3 to have our own sanitization API for user facing fields.
#13
@
14 years ago
- Keywords dev-feedback added
sanitize_text_field calls wp_strip_all_tags. Currently, BP allows wp_filter_kses filtered tags in text boxes/areas, and displays those on both view/edit screens.
For textareas, WP only calls wp_filter_kses.
Therefore, it seems that BP is okay for textareas as we already uses kses. Removing tags from textbox xProfile fields could be considered a substantial change in behaviour?
Hmm, upon testing this, I see we have issues if anything other than a text field is stored. Should we special-case the appropriate text field types and call the filter for those cases?