Skip to:
Content

Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#6990 closed defect (bug) (fixed)

Escape HTML in RSS Feeds

Reported by: danbrellis Owned by: djpaul
Milestone: 2.6 Priority: high
Severity: normal Version: 2.5.0
Component: Activity Keywords:
Cc:

Description

In my theme I have a filter that appends a query string (via append_query_string()) to an activity's primary_link that is stored in the database. As a result, when I visit www.example.org/groups/mygroup/feed, I get an error:

error on line X at column X: EntityRef: expecting ';'

After some digging, this is caused as a result of the query string in the <link> element that has unescaped ampersands. I've found that applying this to my functions.php file fixes the problem.

<?php
add_filter('bp_get_activity_thread_permalink', 'my_theme_bp_get_activity_thread_permalink');
function my_theme_bp_get_activity_thread_permalink($link){
  return esc_url($link);
}

What I'm wondering is if esc_url() should be applied to bp_get_activity_thread_permalink() or where the <link> is output in the BP_Activity_Feed class or if it's just me.

Change History (5)

#1 @DJPaul
2 years ago

  • Milestone changed from Awaiting Review to 2.6
  • Priority changed from normal to high

Good spot - yes, this is our mistake.

#2 follow-up: @DJPaul
2 years ago

Team: should we be, as standard, filtering the likes of bp_get_activity_thread_permalink with a hooked escaping function?

This ticket was mentioned in Slack in #buddypress by dcavins. View the logs.


2 years ago

#4 @djpaul
2 years ago

  • Owner set to djpaul
  • Resolution set to fixed
  • Status changed from new to closed

In 10824:

Activity: escape activity thread and activity comment permalinks

Fixes #6990

#5 in reply to: ↑ 2 @johnjamesjacoby
2 years ago

Replying to DJPaul:

Team: should we be, as standard, filtering the likes of bp_get_activity_thread_permalink with a hooked escaping function?

Yes. As a general rule, our _get_ functions are unescaped, but their equivalent echo functions should output properly sanitized and trustworthy values.

Note: See TracTickets for help on using tickets.