Skip to:
Content

BuddyPress.org

Opened 9 years ago

Closed 9 years ago

Last modified 6 years ago

#7074 closed defect (bug) (fixed)

Templates should utilize esc_attr when setting a link title attribute to bp_group_name

Reported by: garrett-eclipse's profile garrett-eclipse Owned by: boonebgorges's profile boonebgorges
Milestone: 2.6 Priority: normal
Severity: normal Version: 2.5.0
Component: Groups Keywords:
Cc:

Description

Hello,

I noticed in group-header.php and I'm sure it's in several other places, that the bp_group_name is being applied to the title attribute of a link without any handling, should employ esc_attr.

https://github.com/buddypress/BuddyPress/blob/master/src/bp-templates/bp-legacy/buddypress/groups/single/group-header.php#L61

<a href="<?php bp_group_permalink(); ?>" title="<?php bp_group_name(); ?>">

Should be pushed through esc_attr either in the template by using bp_get_group_name instead or by creating a new bp_group_name_attr function.

Thanks

Change History (5)

#1 @boonebgorges
9 years ago

  • Milestone changed from Awaiting Review to 2.6
  • Owner set to boonebgorges
  • Status changed from new to assigned

Thanks, @garrett-eclipse. If you spot other instances of this, please feel free to submit a ticket.

#2 @boonebgorges
9 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 10777:

Improve escaping in group-header.php template.

Props garrett-eclipse.
Fixes #7074.

#4 @boonebgorges
8 years ago

@espellcaste Can you please open a separate ticket with that info? I don't think there's time to address this for 2.6, and I don't want it to be lost.

#5 @espellcaste
8 years ago

@boonebgorges #7132 created and templates with the suggested changes added. I'm still to check and confirm if more templates needs escaping changes.

Note: See TracTickets for help on using tickets.