Skip to:

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#8094 closed defect (bug) (wontfix)

The use of wp_filter_kses in getting BP xprofile textarea fields prevents an expanded html tag set

Reported by: rgilman's profile rgilman Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.3.0
Component: Extended Profile Keywords:
Cc: rgilman


I'm using BP 4.30 and WP 5.2.

To create the problem,
1) open an xprofile textarea field for editing
2) enter anything that includes the permitted tags for textareas from xprofile_filter_kses (line 124, bp-xprofile-filters.php) such as img, ul, ol, li, span or p.
3) save the edit.

On the save, those tags will be stripped out. For example, if you put in a bullet list, the bullets and indents will be removed after the save. Thus the purpose of xprofile_filter_kses for textareas is defeated.

To be a bit more precise based on my debugging, the tags actually are saved into the database but stripped out as the edit area is refilled with a "get". It is in the get process that wp_filter_kses overrides xprofile_filter_kses.

There is an easy "fix": Comment out line 19 in bp-xprofile-filters.php, thus not adding wp_filter_kses to bp_get_the_profile_field_edit_value() (line 593, bp-xprofile-template.php).

I say "fix" because I don't know the full security implications of removing this filter from this function. Nevertheless, removing that filter allows the additional html tags to be saved and retrieved as intended.

This issue appears to go back at least two years as illustrated in this support thread:

Change History (6)

#1 @rgilman
5 years ago

  • Cc rgilman added
  • Component changed from Core to Extended Profile

#2 @boonebgorges
5 years ago

In 12396:

Ensure that xprofile field value HTML whitelist is applied during profile edit.

See #8063, #8094.

#3 @boonebgorges
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Hi @rgilman - Thanks for the detailed report. This appears to be a duplicate of #8063, which is fixed against 5.0. Could you have a look there and see?

#4 @boonebgorges
5 years ago

(marked wontfix because the "duplicate" feature on Trac is currently broken)

#5 @rgilman
5 years ago

Hi @boonebgorges - Good to hear it's being worked on. I tested 5.0 for my specific issue and it does appear to fix it. That is, I can add bullet points in an xprofile textarea field and they display properly after saving. (5.0 makes a mess of my BP-Nouveau-based theme, but it's only alpha so not surprising.)

Let me know if there are other ways I can help.

Thanks for all you do for buddypress, commons in a box and beyond!

#6 @boonebgorges
5 years ago

Thank you so much for confirming the fix!

Note: See TracTickets for help on using tickets.