Opened 9 years ago
Closed 9 years ago
#6707 closed defect (bug) (fixed)
Member - Settings - Email - radio buttons
Reported by: | slaFFik | Owned by: | |
---|---|---|---|
Milestone: | 2.3.5 | Priority: | normal |
Severity: | normal | Version: | 1.0 |
Component: | Settings | Keywords: | has-patch |
Cc: |
Description
Seems, BuddyPress trusts radio-buttons values on save, which is not good.
Just change the value field of any checked radio button, and click save - in my case yes-or-no
was saved successfully into DB.
In source code we have:
foreach ( (array) $_POST['notifications'] as $key => $value ) { bp_update_user_meta( (int) bp_displayed_user_id(), $key, $value ); }
So any js script or user can pass any string. I believe this is a bad approach, when application doesn't control the data that is saved.
Attachments (1)
Change History (8)
Note: See
TracTickets for help on using
tickets.
Yeah, this isn't great. This code has been in place since v1.0!
On the other hand though, the majority of plugins do direct checks for
'yes'
or'no'
values only; this value is never outputted.6707.01.patch
just sets the value of the notification setting before saving it into user meta.Filtering
bp_get_user_meta( $user_id, 'notification_XXX' )
might be overkill here, so I haven't done this in01.patch
. If we feel it is necessary, then we could do it.