Skip to:

Opened 18 months ago

Closed 18 months ago

Last modified 18 months ago

#8094 closed defect (bug) (wontfix)

The use of wp_filter_kses in getting BP xprofile textarea fields prevents an expanded html tag set

Reported by: rgilman Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.3.0
Component: Extended Profile Keywords:
Cc: rgilman


I'm using BP 4.30 and WP 5.2.

To create the problem,
1) open an xprofile textarea field for editing
2) enter anything that includes the permitted tags for textareas from xprofile_filter_kses (line 124, bp-xprofile-filters.php) such as img, ul, ol, li, span or p.
3) save the edit.

On the save, those tags will be stripped out. For example, if you put in a bullet list, the bullets and indents will be removed after the save. Thus the purpose of xprofile_filter_kses for textareas is defeated.

To be a bit more precise based on my debugging, the tags actually are saved into the database but stripped out as the edit area is refilled with a "get". It is in the get process that wp_filter_kses overrides xprofile_filter_kses.

There is an easy "fix": Comment out line 19 in bp-xprofile-filters.php, thus not adding wp_filter_kses to bp_get_the_profile_field_edit_value() (line 593, bp-xprofile-template.php).

I say "fix" because I don't know the full security implications of removing this filter from this function. Nevertheless, removing that filter allows the additional html tags to be saved and retrieved as intended.

This issue appears to go back at least two years as illustrated in this support thread:

Change History (6)

#1 @rgilman
18 months ago

  • Cc rgilman added
  • Component changed from Core to Extended Profile

#2 @boonebgorges
18 months ago

In 12396:

Ensure that xprofile field value HTML whitelist is applied during profile edit.

See #8063, #8094.

#3 @boonebgorges
18 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Hi @rgilman - Thanks for the detailed report. This appears to be a duplicate of #8063, which is fixed against 5.0. Could you have a look there and see?

#4 @boonebgorges
18 months ago

(marked wontfix because the "duplicate" feature on Trac is currently broken)

#5 @rgilman
18 months ago

Hi @boonebgorges - Good to hear it's being worked on. I tested 5.0 for my specific issue and it does appear to fix it. That is, I can add bullet points in an xprofile textarea field and they display properly after saving. (5.0 makes a mess of my BP-Nouveau-based theme, but it's only alpha so not surprising.)

Let me know if there are other ways I can help.

Thanks for all you do for buddypress, commons in a box and beyond!

#6 @boonebgorges
18 months ago

Thank you so much for confirming the fix!

Note: See TracTickets for help on using tickets.