#2747 closed defect (bug) (fixed)
bp_has_* templatetag functions should not use $_REQUEST['s'] without further verification
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 1.5 | Priority: | normal |
Severity: | Version: | 1.2.5 | |
Component: | Core | Keywords: | |
Cc: |
Description
Each bp_has_* templatetag function (like bp_has_groups or bp_has_members) has the kind of following line :
if ( isset( $_REQUEST['s'] ) && !empty( $_REQUEST['s'] ) ) $search_terms = $_REQUEST['s'];
IMHO I have to disagree with this kind of statement. Let's say on a website the groups of the current_user are listed on the sidebar using :
bp_has_groups( 'user_id=' . bp_loggedin_user_id() . '&slug=false&type=active' )
If an user search for a member 'smith', the URL will be '/members/?s=smith', and consequently, the groups displayed in the sidebar will only display the common groups between the current user and the users matching the name 'smith'.
$search_terms will be in any case overrided by the code, even if I set the value.
I haven't worked yet on the patch but I wanted first to have a feedback about this problem.
(In [3448]) Don't allow the URL to override search parameters hardcoded in templates. Fixes #2747.