Skip to:
Content

BuddyPress.org

Opened 11 years ago

Closed 10 years ago

#5183 closed enhancement (wontfix)

Disallow HTML tags in profile fields

Reported by: henrywright's profile henrywright Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Core Keywords:
Cc:

Description

An enhancement suggestion would be to disallow HTML tags in profile fields by default.

add_filter( 'xprofile_data_value_before_save', 'wp_filter_nohtml_kses' );

Not sure if this is the best approach but this will strip HTML before the field data is saved to the database.

I recently had some users enter rather shoddy HTML in their profile which caused problems with my theme display.

Change History (7)

#1 @DJPaul
10 years ago

  • Keywords reporter-feedback added

Hi henrywright,

What type of profile field are you entering HTML in, and can you provide an example? I just very quickly tried to insert italic tags into a text field, but the HTML is being escaped on output in both the frontend view and in the profile editor.

#2 @johnjamesjacoby
10 years ago

  • Milestone changed from Awaiting Review to 2.0

#3 @henry.wright
10 years ago

Hi DJPaul

Sorry for the delay in getting back to you.

I think it depends on the tag. Try inserting a link <a href="..">...</a> - I just tried inserting one in a single line input xProfile field and it was allowed to go through. I'm not sure of the exact tag that slipped through originally but seem to remember the HTML was malformed and played havoc with my theme.

#4 @henry.wright
10 years ago

  • Keywords reporter-feedback removed

#5 @r-a-y
10 years ago

  • Keywords 2nd-opinion added

henry.wright - We do allow certain HTML elements to be used in profile fields. We use the default values from wp_kses:
https://core.trac.wordpress.org/browser/tags/3.8.1/src/wp-includes/kses.php#L372

Is there a certain HTML element that is causing a lot of problems with theme display?

I would say this is a wontfix unless there is a glaring bug that I'm not seeing.

#6 @henry.wright
10 years ago

Thanks r-a-y

I haven't come across the problem again since the initial occurrence. Since I can't reproduce either I'd agree this should be closed.

#7 @r-a-y
10 years ago

  • Keywords 2nd-opinion removed
  • Milestone 2.0 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Cool! If you ever encounter the bug again, feel free to create a new ticket!

Note: See TracTickets for help on using tickets.