Skip to:
Content

BuddyPress.org

Opened 13 years ago

Closed 13 years ago

Last modified 13 years ago

#838 closed defect (bug) (fixed)

HTML in Profile Name Field

Reported by: magganpice's profile Magganpice Owned by: johnjamesjacoby's profile johnjamesjacoby
Milestone: 1.1 Priority: critical
Severity: Version:
Component: Keywords: has-patch, security, html
Cc:

Description

A user can enter an HTML-String like:

<b /><a href="http://whateverwhatever.com/?q=Ano+Nymous+0">Ano Nymous 0</a>

into the name field in his profile. This leads to broken menu items and can lead to the misleading of users to phishing websites. For instance, when that user then sends friend requests to other people and the click on the "Ano Nymous sent you a fried request" in their menu, they are sent to the external site...

Attachments (2)

Picture 10.png (117.7 KB) - added by Magganpice 13 years ago.
Strike through screenshot
838-jjj.patch (459 bytes) - added by johnjamesjacoby 13 years ago.
Sanitize bp_core_get_user_displayname

Download all attachments as: .zip

Change History (12)

#1 @Magganpice
13 years ago

  • Milestone changed from 1.0.2 to 1.1

A part of this is fixed in testbp.org - but with HTML in my profile "name" field, I still get display errors when commenting in blogs. So, best solution would be to strip out HTML directly after the user edits his profile (and not in each display function).

#2 @apeatling
13 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [1605]) Adding the force_balance_tags() filter so that HTML nested invalidly will not break the layout. Fixes #838

#3 @Magganpice
13 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

I will have to reopen this (sorry). Since the HTML is still saved in the profile field, this does not only affect the activity streams. It also appears in blogs (I will try to upload a screenshot here).

Best would be to strip the HTML out of those fields when saving (or encoding it), that would eliminate the problem in all the places it still appears.

You can try this by entering "<strike>Peter Miller" into your "name" field in your profile. Then head into a blog post and you see half the page has a strike through.

@Magganpice
13 years ago

Strike through screenshot

#4 @apeatling
13 years ago

  • Milestone changed from 1.1 to 1.0.4

@johnjamesjacoby
13 years ago

Sanitize bp_core_get_user_displayname

#5 @johnjamesjacoby
13 years ago

  • Keywords has-patch added

Added potential patch option.

Does a quick sanitize of the bp_core_get_user_displayname function to strip out PHP and HTML on display.

#6 @DJPaul
13 years ago

  • Owner set to johnjamesjacoby
  • Status changed from reopened to assigned

#7 @apeatling
13 years ago

  • Milestone changed from 1.0.4 to 1.1

Milestone 1.0.4 deleted

#8 @apeatling
13 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [1701]) Fixes #838 props jjj, Magganpice.

#9 @apeatling
13 years ago

I used kses instead as sanitize_title() will filter spaces etc.

#10 @Magganpice
13 years ago

broken again (but I opened a new ticket).

Note: See TracTickets for help on using tickets.