#6990 closed defect (bug) (fixed)
Escape HTML in RSS Feeds
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 2.6 | Priority: | high |
| Severity: | normal | Version: | 2.5.0 |
| Component: | Activity | Keywords: | |
| Cc: |
Description
In my theme I have a filter that appends a query string (via append_query_string()) to an activity's primary_link that is stored in the database. As a result, when I visit www.example.org/groups/mygroup/feed, I get an error:
error on line X at column X: EntityRef: expecting ';'
After some digging, this is caused as a result of the query string in the <link> element that has unescaped ampersands. I've found that applying this to my functions.php file fixes the problem.
<?php add_filter('bp_get_activity_thread_permalink', 'my_theme_bp_get_activity_thread_permalink'); function my_theme_bp_get_activity_thread_permalink($link){ return esc_url($link); }
What I'm wondering is if esc_url() should be applied to bp_get_activity_thread_permalink() or where the <link> is output in the BP_Activity_Feed class or if it's just me.
Change History (5)
#1
@
10 years ago
- Milestone changed from Awaiting Review to 2.6
- Priority changed from normal to high
#2
follow-up:
↓ 5
@
10 years ago
Team: should we be, as standard, filtering the likes of bp_get_activity_thread_permalink with a hooked escaping function?
This ticket was mentioned in Slack in #buddypress by dcavins. View the logs.
10 years ago
#4
@
10 years ago
- Owner set to djpaul
- Resolution set to fixed
- Status changed from new to closed
In 10824:
#5
in reply to:
↑ 2
@
10 years ago
Replying to DJPaul:
Team: should we be, as standard, filtering the likes of
bp_get_activity_thread_permalinkwith a hooked escaping function?
Yes. As a general rule, our _get_ functions are unescaped, but their equivalent echo functions should output properly sanitized and trustworthy values.
Good spot - yes, this is our mistake.