Skip to:
Content

BuddyPress.org

Opened 15 years ago

Closed 15 years ago

Last modified 15 years ago

#751 closed defect (bug) (fixed)

unstripped slashes in activity links

Reported by: buzz_lightyear's profile buzz_lightyear Owned by: apeatling's profile apeatling
Milestone: Priority: blocker
Severity: Version:
Component: Keywords: activity streams, kses, has-patch
Cc: djpaul@…, buzz_lightyear@…

Description

Changeset 1484:
add_filter( 'bp_get_activity_content', 'wp_filter_kses' );

this line causes unstripped slashes in Activity stream URLs.

commenting it out, everything is back to normal.

Change History (13)

#1 @buzz_lightyear
15 years ago

Solution: Change order of filters so the "stripslashes_deep" is the last one.

<?php

/* Apply WordPress defined filters */
add_filter( 'bp_get_activity_content', 'wptexturize' );

add_filter( 'bp_get_activity_content', 'convert_smilies' );

add_filter( 'bp_get_activity_content', 'convert_chars' );

add_filter( 'bp_get_activity_content', 'wpautop' );

add_filter( 'bp_get_activity_content', 'make_clickable' );

add_filter( 'bp_get_activity_content', 'wp_filter_kses' );

add_filter( 'bp_get_activity_content', 'stripslashes_deep' );

?>

#2 @DJPaul
15 years ago

  • Cc djpaul@… added

1484 hardens against XSS attacks. Any fix needs to ensure that it doesn't reintroduce the security issue.

#3 follow-up: @DJPaul
15 years ago

  • Priority changed from major to blocker

#4 in reply to: ↑ 3 @buzz_lightyear
15 years ago

Replying to DJPaul:

+1 for that, however fix is very easy

#5 @DJPaul
15 years ago

How then? :)
I mean if I understand this, kses calls addslashes. Stripslashes_deep removes the slashes. So when the kses filter protects against some dodgy html/javascript, stripslashes just undoes that?

#6 @DJPaul
15 years ago

(that's referring to the suggested filter re-ordering)

#7 follow-up: @DJPaul
15 years ago

  • Keywords has-patch added

I've just tested your suggestion buzz_lightyear and it fixes this bug and it doesn't reenable the particular XSS attack vector that I found before! Wish I understood how w/r/t my previous concerns but i'm not complaining :)

#8 in reply to: ↑ 7 @buzz_lightyear
15 years ago

  • Cc buzz_lightyear@… added

Replying to DJPaul:

I've just tested your suggestion buzz_lightyear and it fixes this bug and it doesn't reenable the particular XSS attack vector that I found before! Wish I understood how w/r/t my previous concerns but i'm not complaining :)

Hi DJ,
so are you now confirming, that the fix is working also for you? :)

thanx ;)

#9 follow-up: @buzz_lightyear
15 years ago

hi,
this seems to be fixed in r1501 and it works for me now.
kses removed and filters were changed to:

<?php

/* Apply WordPress defined filters */
add_filter( 'bp_get_activity_content', 'wptexturize' );

add_filter( 'bp_get_activity_content', 'convert_smilies' );

add_filter( 'bp_get_activity_content', 'convert_chars' );

add_filter( 'bp_get_activity_content', 'wpautop' );

add_filter( 'bp_get_activity_content', 'stripslashes_deep' );

add_filter( 'bp_get_activity_content', 'make_clickable' );

?>

@DJPaul, can you please confirm and close as fixed?
I'd close it myself, but would like to see someone else confirming the fix too.

thanx

#10 in reply to: ↑ 9 @buzz_lightyear
15 years ago

Replying to buzz_lightyear:

it was actually fixed in http://trac.buddypress.org/changeset/1492

#11 @DJPaul
15 years ago

I'll test it by the weekend and post here (busy until then)

#12 @apeatling
15 years ago

  • Resolution set to fixed
  • Status changed from new to closed

This is fixed as of [1504], it was due to the ordering of filters.

#13 @(none)
15 years ago

  • Milestone Activity Streams 1.1 deleted

Milestone Activity Streams 1.1 deleted

Note: See TracTickets for help on using tickets.