Opened 14 years ago
Closed 14 years ago
#2986 closed defect (bug) (fixed)
Form General Settings - Fields are not escaped
Reported by: | calvin_42 | Owned by: | DJPaul |
---|---|---|---|
Milestone: | 1.5 | Priority: | normal |
Severity: | Version: | 1.2.6 | |
Component: | Core | Keywords: | |
Cc: |
Description
Option names bp-xprofile-base-group-name and bp-xprofile-fullname-field-name are not stored into the DB in html, which means quotes are escaped with a \.
Enter the value Informations "TEST" for the bp-xprofile-base-group-name value, and save the form. Try the same for the bp-xprofile-fullname-field-name value.
When displayed, the HTML is the following :
<input name="bp-admin[bp-xprofile-base-group-name]" id="bp-xprofile-base-group-name" value="Informations \" ok\"">
which cannot be displayed correctly by the browser.
The PHP code to display this form is currently (Link) :
<input name="bp-admin[bp-xprofile-base-group-name]" id="bp-xprofile-base-group-name" value="<?php echo get_site_option('bp-xprofile-base-group-name') ?>" />
To be displayed correctly it should be replaced by :
<input name="bp-admin[bp-xprofile-base-group-name]" id="bp-xprofile-base-group-name" value="<?php echo get_form_site_option('bp-xprofile-base-group-name') ?>" /> function get_form_site_option( $option ) { return apply_filters( 'get_form_site_option', get_site_option( $option ) ); } add_filter( 'get_form_site_option', 'stripslashes' ); add_filter( 'get_form_site_option', 'esc_attr' );
I'm going to patch this similar to what has been suggested, but BuddyPress really needs all of its database storage reviewed; we're creating multiple options in wp_options, for example.