Skip to:
Content

BuddyPress.org

Opened 15 years ago

Closed 15 years ago

#925 closed defect (bug) (worksforme)

Fix for double-escaped data in wp_bp_xprofile_fields

Reported by: swinton's profile swinton Owned by:
Milestone: 1.1 Priority: major
Severity: Version:
Component: Keywords:
Cc:

Description

There is an issue where double-escaped data is being inserted into the wp_bp_xprofile_fields table.

To reproduce, create a new profile field whose title or description contains quotation marks.

Currently this issue is worked around by passing the values through stripslashes() before the values are rendered (in the populate() method of BP_XProfile_Field).

However, slashes are only stripped from the name and description attributes. It's possible that other attributes will have additional slashes in the database, e.g. the label for a checkbox option.

The additional slashes are being added by $wpdb->prepare (in the save() method of BP_XProfile_Field). I believe the call to $wpdb->prepare can be safely replaced with a call to sprintf, since the data is already escaped by add_magic_quotes in wp-settings.php, lines 699-722.

The attached patch replaces calls to $wpdb->prepare in the save() method of BP_XProfile_Field with equivalent sprintf calls, and with quoted %s tokens.

The same has been done fot the BP_XProfile_ProfileData class.

Calls to stripslashes have been removed from both the populate() methods of this class.

Attachments (1)

bp-xprofile-classes.php.patch (4.0 KB) - added by swinton 15 years ago.

Download all attachments as: .zip

Change History (4)

#1 @DJPaul
15 years ago

  • Milestone set to 1.1

#2 @apeatling
15 years ago

Removing $wpdb->prepare() is not an option as this poses a security risk.

#3 @apeatling
15 years ago

  • Resolution set to worksforme
  • Status changed from new to closed

I've just tested this and do not see a double escape in the database. Seems to be working fine, please test and confirm otherwise.

Note: See TracTickets for help on using tickets.