Skip to:
Content

BuddyPress.org

Opened 11 years ago

Closed 11 years ago

#925 closed defect (bug) (worksforme)

Fix for double-escaped data in wp_bp_xprofile_fields

Reported by: swinton Owned by:
Milestone: 1.1 Priority: major
Severity: Version:
Component: Keywords:
Cc:

Description

There is an issue where double-escaped data is being inserted into the wp_bp_xprofile_fields table.

To reproduce, create a new profile field whose title or description contains quotation marks.

Currently this issue is worked around by passing the values through stripslashes() before the values are rendered (in the populate() method of BP_XProfile_Field).

However, slashes are only stripped from the name and description attributes. It's possible that other attributes will have additional slashes in the database, e.g. the label for a checkbox option.

The additional slashes are being added by $wpdb->prepare (in the save() method of BP_XProfile_Field). I believe the call to $wpdb->prepare can be safely replaced with a call to sprintf, since the data is already escaped by add_magic_quotes in wp-settings.php, lines 699-722.

The attached patch replaces calls to $wpdb->prepare in the save() method of BP_XProfile_Field with equivalent sprintf calls, and with quoted %s tokens.

The same has been done fot the BP_XProfile_ProfileData class.

Calls to stripslashes have been removed from both the populate() methods of this class.

Attachments (1)

bp-xprofile-classes.php.patch (4.0 KB) - added by swinton 11 years ago.

Download all attachments as: .zip

Change History (4)

#1 @DJPaul
11 years ago

  • Milestone set to 1.1

#2 @apeatling
11 years ago

Removing $wpdb->prepare() is not an option as this poses a security risk.

#3 @apeatling
11 years ago

  • Resolution set to worksforme
  • Status changed from new to closed

I've just tested this and do not see a double escape in the database. Seems to be working fine, please test and confirm otherwise.

Note: See TracTickets for help on using tickets.