Skip to:
Content

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#2747 closed defect (bug) (fixed)

bp_has_* templatetag functions should not use $_REQUEST['s'] without further verification

Reported by: calvin_42 Owned by: DJPaul
Milestone: 1.5 Priority: normal
Severity: Version: 1.2.5
Component: Core Keywords:
Cc:

Description

Each bp_has_* templatetag function (like bp_has_groups or bp_has_members) has the kind of following line :

if ( isset( $_REQUEST['s'] ) && !empty( $_REQUEST['s'] ) )
		$search_terms = $_REQUEST['s'];

IMHO I have to disagree with this kind of statement. Let's say on a website the groups of the current_user are listed on the sidebar using :

bp_has_groups( 'user_id=' . bp_loggedin_user_id() . '&slug=false&type=active' )

If an user search for a member 'smith', the URL will be '/members/?s=smith', and consequently, the groups displayed in the sidebar will only display the common groups between the current user and the users matching the name 'smith'.

$search_terms will be in any case overrided by the code, even if I set the value.

I haven't worked yet on the patch but I wanted first to have a feedback about this problem.

Change History (3)

#1 @DJPaul
8 years ago

  • Owner set to DJPaul
  • Status changed from new to assigned

#2 @djpaul
8 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [3448]) Don't allow the URL to override search parameters hardcoded in templates. Fixes #2747.

#3 @DJPaul
8 years ago

Good catch, calvin_42. The way it works now is that if the functions' search_terms argument is supplied, that will override any provided by $_REQUESTs?.

Note: See TracTickets for help on using tickets.