#751 closed defect (bug) (fixed)
unstripped slashes in activity links
Reported by: | buzz_lightyear | Owned by: | apeatling |
---|---|---|---|
Milestone: | Priority: | blocker | |
Severity: | Version: | ||
Component: | Keywords: | activity streams, kses, has-patch | |
Cc: | djpaul@…, buzz_lightyear@… |
Description
Changeset 1484:
add_filter( 'bp_get_activity_content', 'wp_filter_kses' );
this line causes unstripped slashes in Activity stream URLs.
commenting it out, everything is back to normal.
Change History (13)
#2
@
16 years ago
- Cc djpaul@… added
1484 hardens against XSS attacks. Any fix needs to ensure that it doesn't reintroduce the security issue.
#5
@
16 years ago
How then? :)
I mean if I understand this, kses calls addslashes. Stripslashes_deep removes the slashes. So when the kses filter protects against some dodgy html/javascript, stripslashes just undoes that?
#7
follow-up:
↓ 8
@
16 years ago
- Keywords has-patch added
I've just tested your suggestion buzz_lightyear and it fixes this bug and it doesn't reenable the particular XSS attack vector that I found before! Wish I understood how w/r/t my previous concerns but i'm not complaining :)
#8
in reply to:
↑ 7
@
16 years ago
- Cc buzz_lightyear@… added
Replying to DJPaul:
I've just tested your suggestion buzz_lightyear and it fixes this bug and it doesn't reenable the particular XSS attack vector that I found before! Wish I understood how w/r/t my previous concerns but i'm not complaining :)
Hi DJ,
so are you now confirming, that the fix is working also for you? :)
thanx ;)
#9
follow-up:
↓ 10
@
16 years ago
hi,
this seems to be fixed in r1501 and it works for me now.
kses removed and filters were changed to:
<?php /* Apply WordPress defined filters */ add_filter( 'bp_get_activity_content', 'wptexturize' ); add_filter( 'bp_get_activity_content', 'convert_smilies' ); add_filter( 'bp_get_activity_content', 'convert_chars' ); add_filter( 'bp_get_activity_content', 'wpautop' ); add_filter( 'bp_get_activity_content', 'stripslashes_deep' ); add_filter( 'bp_get_activity_content', 'make_clickable' ); ?>
@DJPaul, can you please confirm and close as fixed?
I'd close it myself, but would like to see someone else confirming the fix too.
thanx
#10
in reply to:
↑ 9
@
16 years ago
Replying to buzz_lightyear:
it was actually fixed in http://trac.buddypress.org/changeset/1492
Solution: Change order of filters so the "stripslashes_deep" is the last one.