Opened 15 years ago
Closed 15 years ago
#925 closed defect (bug) (worksforme)
Fix for double-escaped data in wp_bp_xprofile_fields
Reported by: | swinton | Owned by: | |
---|---|---|---|
Milestone: | 1.1 | Priority: | major |
Severity: | Version: | ||
Component: | Keywords: | ||
Cc: |
Description
There is an issue where double-escaped data is being inserted into the wp_bp_xprofile_fields table.
To reproduce, create a new profile field whose title or description contains quotation marks.
Currently this issue is worked around by passing the values through stripslashes() before the values are rendered (in the populate() method of BP_XProfile_Field).
However, slashes are only stripped from the name and description attributes. It's possible that other attributes will have additional slashes in the database, e.g. the label for a checkbox option.
The additional slashes are being added by $wpdb->prepare (in the save() method of BP_XProfile_Field). I believe the call to $wpdb->prepare can be safely replaced with a call to sprintf, since the data is already escaped by add_magic_quotes in wp-settings.php, lines 699-722.
The attached patch replaces calls to $wpdb->prepare in the save() method of BP_XProfile_Field with equivalent sprintf calls, and with quoted %s tokens.
The same has been done fot the BP_XProfile_ProfileData class.
Calls to stripslashes have been removed from both the populate() methods of this class.
Removing $wpdb->prepare() is not an option as this poses a security risk.