#8094 closed defect (bug) (wontfix)
The use of wp_filter_kses in getting BP xprofile textarea fields prevents an expanded html tag set
Reported by: | rgilman | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.3.0 |
Component: | Extended Profile | Keywords: | |
Cc: | rgilman |
Description
I'm using BP 4.30 and WP 5.2.
To create the problem,
1) open an xprofile textarea field for editing
2) enter anything that includes the permitted tags for textareas from xprofile_filter_kses (line 124, bp-xprofile-filters.php) such as img, ul, ol, li, span or p.
3) save the edit.
On the save, those tags will be stripped out. For example, if you put in a bullet list, the bullets and indents will be removed after the save. Thus the purpose of xprofile_filter_kses for textareas is defeated.
To be a bit more precise based on my debugging, the tags actually are saved into the database but stripped out as the edit area is refilled with a "get". It is in the get process that wp_filter_kses overrides xprofile_filter_kses.
There is an easy "fix": Comment out line 19 in bp-xprofile-filters.php, thus not adding wp_filter_kses to bp_get_the_profile_field_edit_value() (line 593, bp-xprofile-template.php).
I say "fix" because I don't know the full security implications of removing this filter from this function. Nevertheless, removing that filter allows the additional html tags to be saved and retrieved as intended.
This issue appears to go back at least two years as illustrated in this support thread: https://buddypress.org/support/topic/image-not-saving-in-xprofile-textarea-field/
Change History (6)
#3
@
6 years ago
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
Hi @rgilman - Thanks for the detailed report. This appears to be a duplicate of #8063, which is fixed against 5.0. Could you have a look there and see?
#5
@
6 years ago
Hi @boonebgorges - Good to hear it's being worked on. I tested 5.0 for my specific issue and it does appear to fix it. That is, I can add bullet points in an xprofile textarea field and they display properly after saving. (5.0 makes a mess of my BP-Nouveau-based theme, but it's only alpha so not surprising.)
Let me know if there are other ways I can help.
Thanks for all you do for buddypress, commons in a box and beyond!
In 12396: