Skip to:
Content

BuddyPress.org

Opened 15 years ago

Closed 15 years ago

Last modified 15 years ago

#747 closed defect (bug) (fixed)

bp-activity-templatetags.php - preg_replace

Reported by: djpaul's profile DJPaul Owned by:
Milestone: Priority: minor
Severity: Version: 1.0
Component: Keywords:
Cc: djpaul@…, apeatling

Description

The call to preg_replace on line 256 in bp-activity-templatetags.php is, I don't think, adequately escaped. Andy, when we were looking at some of the XSS-related things last night, I got these in my log -

[Fri May 15 22:16:35 2009] [error] [client 127.0.0.1] PHP Warning: preg_replace() [<a href='function.preg-replace'>function.preg-replace</a>]: Unknown modifier 'C' in /Users/Paul/Sites/example.com/wp-content/plugins/buddypress/bp-activity/bp-activity-templatetags.php on line 256, referer: http://example.com/groups

Also had some for "Unknown modifier '/'". I've got no idea what particular string was causing these specifically.

Change History (4)

#1 @DJPaul
15 years ago

  • Cc djpaul@… added

#2 @apeatling
15 years ago

  • Cc apeatling added

Need to investigate this more, will do so for 1.0.2.

#3 @apeatling
15 years ago

  • Resolution set to fixed
  • Status changed from new to closed

I don't think this is an issue anymore, now that there is a proper kses filter with allowed tags. Please re-open if it is a problem still.

#4 @(none)
15 years ago

  • Milestone Activity Streams 1.1 deleted

Milestone Activity Streams 1.1 deleted

Note: See TracTickets for help on using tickets.