Skip to:

Opened 12 years ago

Closed 12 years ago

#4392 closed defect (bug) (fixed)

email Profile fields not formatting correctly

Reported by: zkwc's profile zkwc Owned by: zkwc's profile zkwc
Milestone: 1.6 Priority: normal
Severity: normal Version: 1.5.7
Component: Core Keywords: needs-patch needs-testing


When someone enters their email address into the profile field like this: me@… - buddypress turns it into html <a href="mailto:me@…">me@…</a> and that is what a user sees. i've checked to see that the users are entering the emails correctly in profile fields and they are.

Attachments (1)

Screen Shot 2012-07-31 at 12.56.50 AM.png (32.1 KB) - added by zkwc 12 years ago.
screen shot of what is happening

Download all attachments as: .zip

Change History (3)

12 years ago

screen shot of what is happening

#1 @boonebgorges
12 years ago

  • Milestone changed from Awaiting Review to 1.6

#2 @boonebgorges
12 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [6224]) Cleanup of sanitization and formatting of xprofile output

In r6202 and r6204, sanitization was introduced into the xprofile output
functions, to protect against CSRF-style vulnerabilities. However, the
sanitization (esc_html()) was run in such a way that some clickable items,
such as email addresses, were double escaped, resulting in HTML tags being
printed to the screen rather than parsed by the browser.

This changeset reconfigures the sanitization procedure, so that output is
sanitized by esc_html() before being run through the formatting filters such
as make_clickable() and xprofile_filter_link_profile_data().

Fixes #4392

Props rachelbaker, DJPaul

Note: See TracTickets for help on using tickets.