Skip to:
Content

BuddyPress.org

Opened 12 years ago

Closed 12 years ago

#983 closed defect (bug) (fixed)

HTML in profile name field broken again

Reported by: Magganpice Owned by:
Milestone: Priority: major
Severity: Version:
Component: Keywords: HTML, profile
Cc:

Description

This was fixed quite a while ago but is broken again (as in testing on testbp.org).

Im my profile, I can enter HTML into my profile name field (maybe also other fields). This breaks the display in activiy streams.

For instance I can enter "<strike><em>My Name" into that field and the community home page is then "broken".

My suggestion back then was to strip HTML out of the saved data when SAVING, but the problem was solved on the output side by not DISPLAYING the HTML. This solution seems not to work anymore. I guess it would be better to solve this on the SAVING side, not in the OUTPUT.

Change History (8)

#1 @Magganpice
12 years ago

FYI: The previous time this problem was solved was in Ticket #838.

#2 @apeatling
12 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [1809]) Fixes #983

#3 @Magganpice
12 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

This is still broken on testbp.org - so I reopen.

Please just close it again if testbp.org is still running an earlier version (is there a way for me to find out the version of testbp.org?).

#4 @apeatling
12 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [1836]) Straight up stripping any html from the user's display name. Fixes #983

#5 @Magganpice
12 years ago

  • Keywords HTML profile added
  • Resolution fixed deleted
  • Status changed from closed to reopened

Sorry, I have to reopen this old and multiple times fixed ticket.

I think I have to insist that this be fixed on the INPUT side (as opposed to fixing it on the OUTPUT side). The only way to really fix this is on the INPUT side otherwise this problem will always keep coming up.

How to reproduce on testbp.org today (2010-01-07):

  • in your profile, put something like "<strong><a><blockquote>Firstname Lastname" in your name field
  • then, for instance reply to someone's status
  • this bad HTML will appear infront of your name
  • and in your profile your name will be "strong"

It will not be the solution to run around fixing all output code for profile names throughout the system. HTML must be stripped out when someone saves his profile changes. This way, the HTML will never be saved to the database and appear nowhere.

Please do not just fix this on the output side again, thanks :-)

#6 @Magganpice
12 years ago

additional info:

the bad HTML will an some places appear in front of your name and then sometimes suddenly not anymore. Or, after sending your reply, the HTML will not be there but when reloading the page it will be there.

so, maybe you have to surf around a bit and reload to see the bad HTML.

#7 @Magganpice
12 years ago

For instance, I can put <strong><a href=http://phishing.com><blockquote><i> in front of my name so that people visiting my profile can click on my name to get to the place I want them to go.

Also a good thing for SEO spammers in large community sites.

#8 @apeatling
12 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.