#4058 closed enhancement (fixed)
Updating bp_latest_update uses wp_filter_kses hard coded
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | 1.6 | Priority: | normal |
Severity: | minor | Version: | 1.5.4 |
Component: | Activity | Keywords: | has-patch |
Cc: |
Description
BuddyPress has the option to deactivate kses in activities by filtering the content before it gets saved into the database. For example:
remove_filter('bp_activity_content_before_save', 'bp_activity_filter_kses', 1); add_filter('bp_activity_content_before_save', function($content) {return esc_html($content);}, 1);
That way I can disable html and use something like bbcode.
BUT during updating "bp_latest_update" in table wp_usermeta
kses is hardcoded and results in an unexpected "last update". That's inconsistent and maybe unnecessary. Please see:
bp-activity-functions.php => bp_activity_post_update()
http://buddypress.trac.wordpress.org/browser/tags/1.5.4/bp-activity/bp-activity-functions.php#L854
bp_update_user_meta( $bp->loggedin_user->id, 'bp_latest_update', array( 'id' => $activity_id, 'content' => wp_filter_kses( $content ) ) );
Wouldn't it be better to apply all filters from "bp_activity_content_before_save" on $content in line 873:
$activity_content = apply_filters('bp_activity_content_before_save', $content);
And remove the hard coded call to "wp_filter_kses" in line 854?
Attachments (1)
Change History (8)
#2
@
13 years ago
- Keywords needs-patch added; 2nd-opinion dev-feedback removed
- Milestone changed from Awaiting Review to 1.6
- Severity changed from normal to minor
I'm not convinced that removing kses where we've used it is a good idea, but I think it's safe to move this hard-coded call to that filter, per your suggestion.
#3
@
13 years ago
- Keywords has-patch added; needs-patch removed
Just created diff to move this ticket more faster. Diff removes hardcoded wp_filter_kses and introduces bp_activity_update_before_save
filter.
Is there any particular reason for using wp_filter_kses()
instead of bp_activity_filter_kses()
what we use on other filters?
#4
follow-up:
↓ 7
@
13 years ago
Is there any particular reason for using wp_filter_kses() instead of bp_activity_filter_kses() what we use on other filters?
Good question. It looks like the manual call to wp_filter_kses() has been there since the function was introduced in r2287. If we change it to use bp_activity_filter_kses() instead, it will mean that a larger number of tags will be allowed (like img, div, and span). And remember that the value being stored with this call to bp_update_user_meta() is used to display the user's latest update in the profile header. Allowing things like images and divs in the profile header has the potential to be problematic, as these elements could wreck the layout. I think that this is probably a bad thing for most BP sites.
For this reason, I'm going to move the kses call to a filter, as in 4058.diff, and mark this ticket as resolved. Site owners who want to allow full update content in the Latest Update area can unhook wp_filter_kses() and hook bp_activity_filter_kses() themselves.
#5
@
13 years ago
PS:
Just created diff to move this ticket more faster.
Thanks. This usually works :)
#6
@
13 years ago
- Resolution set to fixed
- Status changed from new to closed
(In [5901]) Introduces bp_activity_latest_update_content filter, to allow the filtering of update content before it is saved to a user's latest_update usermeta.
Moves the hardcoded wp_filter_kses() filter on latest_update content to an unhookable add_filter() call.
Fixes #4058. Props wpdennis, Mamaduka
#7
in reply to:
↑ 4
@
13 years ago
Replying to boonebgorges:
Right we don't need that much allowed tags.
And remove the hard coded call to "wp_filter_kses" in line 887, not 854:
to