Skip to:

Opened 8 years ago

Last modified 8 years ago

#6584 new defect (bug)

bp_activity_create_summary wrongly extracted <iframe src="....htm"/> as <img src="....htm"/>

Reported by: webp's profile webp Owned by:
Milestone: Awaiting Contributions Priority: low
Severity: minor Version: 2.3.2
Component: Activity Keywords: needs-patch needs-unit-tests


After posting <iframe src="....htm"> in a post, an activity summary was created with an image with a broken link at the end. HTML source shows the image with broken link:

    <img src="....htm"/>

select content from wp_bp_activity where id=xyz ;

| .... <img src="...htm"/> |


vi bp-activity/bp-activity-functions.php

function bp_activity_create_summary( $content, $activity ) {
    $media = $extractor->extract( $content, BP_Media_Extractor::ALL, $args );

vi bp-core/classes/class-bp-media-extractor.php

class BP_Media_Extractor {
    protected function extract_images( $richtext, $plaintext, $extra_args = array() ) {
        if ( stripos( $richtext, 'src=' ) !== false ) {
            preg_match_all( '#src=(["\'])([^"\']+)\1#i', $richtext, $img_srcs );  // matches src="text" and src='text'

Suggest the following change so <iframe src='*.htm'> will not get extracted into summary:

            preg_match_all( '#(?<!iframe) src=(["\'])([^"\']+)\1#i', $richtext, $img_srcs );  // matches src="text" and src='text', excluding iframe src=


            preg_match_all( '#img src=(["\'])([^"\']+)\1#i', $richtext, $img_srcs );  // matches img src="text" and img src='text'

Database fix (for MariaDB with REGEXP_REPLACE):

UPDATE wp_bp_activity SET content = REGEXP_REPLACE(content, ' <img src=(["\'])[^"\']+\\1\/>', '') WHERE content LIKE '%img src%';

Above fixes were tested for BuddyPress 2.3.2 and MariaDB 10.0.19

Change History (2)

#1 @johnjamesjacoby
8 years ago

  • Milestone changed from Awaiting Review to 2.4

Hi there. Thanks for this report. I can confirm this is happening. It should only be a bug for admins on the site that have the unfiltered_html capability, which minimizes breakage at least a bit, but we should definitely fix this anyways.

#2 @DJPaul
8 years ago

  • Keywords needs-patch needs-unit-tests added; has-patch removed
  • Milestone changed from 2.4 to Future Release

Good catch. This is a bit tricky because some strings won't have the src property immediately after the opening img tag, so we need to think a bit more about this.

Note: See TracTickets for help on using tickets.