Skip to:
Content

BuddyPress.org

Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#4058 closed enhancement (fixed)

Updating bp_latest_update uses wp_filter_kses hard coded

Reported by: wpdennis Owned by:
Milestone: 1.6 Priority: normal
Severity: minor Version: 1.5.4
Component: Activity Keywords: has-patch
Cc:

Description

BuddyPress has the option to deactivate kses in activities by filtering the content before it gets saved into the database. For example:

remove_filter('bp_activity_content_before_save', 'bp_activity_filter_kses', 1);
add_filter('bp_activity_content_before_save', function($content) {return esc_html($content);}, 1);

That way I can disable html and use something like bbcode.

BUT during updating "bp_latest_update" in table wp_usermeta kses is hardcoded and results in an unexpected "last update". That's inconsistent and maybe unnecessary. Please see:

bp-activity-functions.php => bp_activity_post_update()
http://buddypress.trac.wordpress.org/browser/tags/1.5.4/bp-activity/bp-activity-functions.php#L854

bp_update_user_meta( $bp->loggedin_user->id, 'bp_latest_update', array( 'id' => $activity_id, 'content' => wp_filter_kses( $content ) ) );

Wouldn't it be better to apply all filters from "bp_activity_content_before_save" on $content in line 873:

$activity_content = apply_filters('bp_activity_content_before_save', $content);

And remove the hard coded call to "wp_filter_kses" in line 854?

Attachments (1)

4058.diff (1.5 KB) - added by Mamaduka 9 years ago.

Download all attachments as: .zip

Change History (8)

#1 @wpdennis
9 years ago

And remove the hard coded call to "wp_filter_kses" in line 887, not 854:

bp_update_user_meta( $bp->loggedin_user->id, 'bp_latest_update', array( 'id' => $activity_id, 'content' => wp_filter_kses( $content ) ) );

to

bp_update_user_meta( $bp->loggedin_user->id, 'bp_latest_update', array( 'id' => $activity_id, 'content' => $content ) );

#2 @DJPaul
9 years ago

  • Keywords needs-patch added; 2nd-opinion dev-feedback removed
  • Milestone changed from Awaiting Review to 1.6
  • Severity changed from normal to minor

I'm not convinced that removing kses where we've used it is a good idea, but I think it's safe to move this hard-coded call to that filter, per your suggestion.

@Mamaduka
9 years ago

#3 @Mamaduka
9 years ago

  • Keywords has-patch added; needs-patch removed

Just created diff to move this ticket more faster. Diff removes hardcoded wp_filter_kses and introduces bp_activity_update_before_save filter.

Is there any particular reason for using wp_filter_kses() instead of bp_activity_filter_kses() what we use on other filters?

#4 follow-up: @boonebgorges
9 years ago

Is there any particular reason for using wp_filter_kses() instead of bp_activity_filter_kses() what we use on other filters?

Good question. It looks like the manual call to wp_filter_kses() has been there since the function was introduced in r2287. If we change it to use bp_activity_filter_kses() instead, it will mean that a larger number of tags will be allowed (like img, div, and span). And remember that the value being stored with this call to bp_update_user_meta() is used to display the user's latest update in the profile header. Allowing things like images and divs in the profile header has the potential to be problematic, as these elements could wreck the layout. I think that this is probably a bad thing for most BP sites.

For this reason, I'm going to move the kses call to a filter, as in 4058.diff, and mark this ticket as resolved. Site owners who want to allow full update content in the Latest Update area can unhook wp_filter_kses() and hook bp_activity_filter_kses() themselves.

#5 @boonebgorges
9 years ago

PS:

Just created diff to move this ticket more faster.

Thanks. This usually works :)

#6 @boonebgorges
9 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [5901]) Introduces bp_activity_latest_update_content filter, to allow the filtering of update content before it is saved to a user's latest_update usermeta.
Moves the hardcoded wp_filter_kses() filter on latest_update content to an unhookable add_filter() call.
Fixes #4058. Props wpdennis, Mamaduka

#7 in reply to: ↑ 4 @Mamaduka
9 years ago

Replying to boonebgorges:

Right we don't need that much allowed tags.

Note: See TracTickets for help on using tickets.