#6990 closed defect (bug) (fixed)
Escape HTML in RSS Feeds
Reported by: | danbrellis | Owned by: | djpaul |
---|---|---|---|
Milestone: | 2.6 | Priority: | high |
Severity: | normal | Version: | 2.5.0 |
Component: | Activity | Keywords: | |
Cc: |
Description
In my theme I have a filter that appends a query string (via append_query_string()) to an activity's primary_link that is stored in the database. As a result, when I visit www.example.org/groups/mygroup/feed, I get an error:
error on line X at column X: EntityRef: expecting ';'
After some digging, this is caused as a result of the query string in the <link> element that has unescaped ampersands. I've found that applying this to my functions.php file fixes the problem.
<?php add_filter('bp_get_activity_thread_permalink', 'my_theme_bp_get_activity_thread_permalink'); function my_theme_bp_get_activity_thread_permalink($link){ return esc_url($link); }
What I'm wondering is if esc_url() should be applied to bp_get_activity_thread_permalink() or where the <link> is output in the BP_Activity_Feed class or if it's just me.
Change History (5)
#2
follow-up:
↓ 5
@
8 years ago
Team: should we be, as standard, filtering the likes of bp_get_activity_thread_permalink
with a hooked escaping function?
This ticket was mentioned in Slack in #buddypress by dcavins. View the logs.
8 years ago
#4
@
8 years ago
- Owner set to djpaul
- Resolution set to fixed
- Status changed from new to closed
In 10824:
#5
in reply to:
↑ 2
@
8 years ago
Replying to DJPaul:
Team: should we be, as standard, filtering the likes of
bp_get_activity_thread_permalink
with a hooked escaping function?
Yes. As a general rule, our _get_
functions are unescaped, but their equivalent echo
functions should output properly sanitized and trustworthy values.
Good spot - yes, this is our mistake.