Skip to:
Content

BuddyPress.org

Opened 13 years ago

Closed 13 years ago

#3409 closed defect (bug) (wontfix)

Posting PHP code into activity update creates a blank update

Reported by: intermike's profile InterMike Owned by:
Milestone: 1.6 Priority: minor
Severity: minor Version: 1.5
Component: Activity Keywords: 2nd-opinion
Cc:

Description

If you post, for example:

<?php print("Hello World"); ?>

into a new activity update, it creates an empty update. I guess it should just output the exact text that was entered as plain text, or at least give an error, such as the one when you try to Post an update with no text in the textbox at all.

If you paste it into a comment, it moves the "Comment" button over to the left 1 cm.

Change History (5)

#1 @InterMike
13 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

I meant to say "... to the right 1cm."

[Edit]Lol, ffs, sorry about changing the Status and Resolution, it's like 3am here, time for bed!

Last edited 13 years ago by InterMike (previous) (diff)

#2 @boonebgorges
13 years ago

  • Keywords 2nd-opinion added
  • Milestone changed from Awaiting Review to 1.6
  • Priority changed from normal to minor
  • Resolution wontfix deleted
  • Severity changed from normal to minor
  • Status changed from closed to reopened

Confirmed. This is also an issue with group forum posts.

There are a couple of things happening here. First, the code is being removed altogether by kses. We could debate whether it would be better to escape the '<?php' and '?>' delimiters, and display the content as plain text. It seems to me that this would be better behavior from the user point of view, as long as we can maintain security. I'm not sure whether this method is compatible with kses (we might have to run our own filters first?).

Second, the reason why it's posting an empty activity update is that the filters are being run *right before* the content is saved, in the BP_Activity_Activity::save() method. This is probably too late, IMO. That's because we allow for some activity items with empty 'content' (such as 'Boone and Mike are now friends'), so we can't put a check in the save() method itself that refuses to post if 'content' is empty. That check should be done (and is, in fact, done) further upstream (for instance in bp_activity_post_update()), but it happens before the kses filters are applied.

So there are a few solutions:

  • write our own replacement for kses that escapes rather than strips the content
  • move the kses filters way upstream, into the individual component activity functions
  • introduce a $allow_null_content parameter to the bp_activity_add() chain, which would allow us to fail immediately before saving when no content is left by the filter when appropriate.

This is not a 1.5 regression; the 1.2 branch has the same issue. So it's not urgent.

#3 @johnjamesjacoby
13 years ago

Code should be wrapped in code tags. If it's not, it will get stripped. The regex to compensate for each possible code syntax is near impossible to write with any guaranteed accuracy. We should at least be doing an empty() check after the filter is applied, and error appropriately if the entire content got stripped.

#4 @boonebgorges
13 years ago

This appears to have resolved itself at some point with respect to activity updates; when you post nothing but PHP code, you get an error.

#5 @boonebgorges
13 years ago

  • Resolution set to wontfix
  • Status changed from reopened to closed

It's going to be a pain to fix this in the case of forum posts, because we're escaping on the way in, but ksesing on the way out; so there's not a straightforward way to filter on the way in except by doing another kses there, which could break other stuff. I'm going to close this as wontfix, as it's an edge case. See jjj's comment above.

Note: See TracTickets for help on using tickets.