Skip to:
Content

BuddyPress.org

Opened 2 months ago

Closed 2 months ago

#9151 closed defect (bug) (fixed)

HTML tags are shown instead of being rendered within dismissible messages - Edit Group (bp-groups) screen/page.

Reported by: emaralive's profile emaralive Owned by: imath's profile imath
Milestone: 12.5.0 Priority: normal
Severity: normal Version: 12.4.1
Component: Administration Keywords: has-screenshots has-patch commit
Cc:

Description

WordPress

version: 6.6-alpha-58113

Parent Theme

name: Twenty Eleven (twentyeleven)
version: 4.6

BuddyPress

version: 12.4.1
active_components: Community Members, Extended Profiles, Account Settings, Friend Connections, Private Messaging, Activity Streams, Notifications, User Groups, Site Tracking
template_packs: BuddyPress Nouveau & BuddyPress Legacy
url_parser: BP Rewrites API

PHP

version: 7.4.33


When on site.url/wp-admin/admin.php?page=bp-groups&gid=<id>&action=edit, enter either a valid or a non-existent user into the Add New Member textbox and submit the entry. The 1st screenshot represents the case of a non-existent user. The issue is that the <em> tag pair are showing instead of being rendered (see screenshot screenshot-win10-me-2024.05.07-15_13_34.png). The <em> tag is used by 4 different status messages found in the file bp-groups-admin.php:

Note
Master branch is used to represent which lines use the <em> tags and the line with the issue.

`The issue arises because the messages are further escaped using the esc_html() function thus, for academic purposes, converts the "less than" (<) symbol into the &lt; Html entity and the "greater than" (>) symbol into the &gt; HTML entity, i.e., &lt;em&&gt;<user>&lt;/em&gt;, which can be found on Line 668. For instance, an example of the code fragment from Line 668:

implode( "</p><p>", array_map( 'esc_html', $messages ) )
=> string(79) "The following users could not be added to the group: &lt;em&gt;apple&lt;/em&gt;"

Changing the esc_html to wp_kses_post will correct the issue and allow the HTML to be rendered, for example (also, see screenshot screenshot-win10-me-2024.05.07-15_24_57.png):

implode( "</p><p>", array_map( 'wp_kses_post', $messages ) )
=> string(67) "The following users could not be added to the group: <em>apple</em>"

However, since there are a number of ways to patch this issue, I will leave it to the discretion of whomever is assigned.

Attachments (3)

screenshot-win10-me-2024.05.07-15_13_34.png (157.0 KB) - added by emaralive 2 months ago.
screenshot-win10-me-2024.05.07-15_13_34.png
screenshot-win10-me-2024.05.07-15_24_57.png (158.8 KB) - added by emaralive 2 months ago.
screenshot-win10-me-2024.05.07-15_24_57.png
9151.patch (840 bytes) - added by imath 2 months ago.

Download all attachments as: .zip

Change History (7)

@emaralive
2 months ago

screenshot-win10-me-2024.05.07-15_13_34.png

@emaralive
2 months ago

screenshot-win10-me-2024.05.07-15_24_57.png

#1 @imath
2 months ago

Hi @emaralive

Great catch & awesome work on this ticket 💪. I agree using wp_kses_post is the right call. I'll commit the fix asap.

@imath
2 months ago

#2 @imath
2 months ago

  • Keywords has-patch commit added; needs-patch dev-feedback removed

#3 @imath
2 months ago

In 13857:

Groups: use the right escaping callback when displaying admin notices

Props emaralive

See #9151 (trunk)

#4 @imath
2 months ago

  • Owner set to imath
  • Resolution set to fixed
  • Status changed from new to closed

In 13858:

Groups: use the right escaping callback when displaying admin notices

Props emaralive

Fixes #9151 (branch 12.0)

Note: See TracTickets for help on using tickets.