[buddypress-trac] [BuddyPress] #1657: Double-escaping in groups_notification_group_invites() and other places

buddypress-trac at lists.automattic.com buddypress-trac at lists.automattic.com
Thu Jan 21 22:19:58 UTC 2010


#1657: Double-escaping in groups_notification_group_invites() and other places
-----------------------------+----------------------------------------------
Reporter:  DJPaul            |       Owner:     
    Type:  defect            |      Status:  new
Priority:  minor             |   Milestone:  1.2
Keywords:  encoding, groups  |  
-----------------------------+----------------------------------------------
 In groups_notification_group_invites() and possibly in other similar
 functions, the group name is being double-escaped. This was tested on
 1.1.3 but looks like it will affect trunk.  To recreate, just change the
 name of a group to something containing an apostrophe, i.e. "Bob's Famous
 Tomatoes's".

 Invite someone, and look at the text of that email. Those apostrophes will
 be escaped still.

 This is because the group names are being escaped by wpdb->prepare, and
 then they are used in this routine like so, causing a double-escape
 situation.

 stripslashes( attribute_escape( $group->name ) )

 A fix is to remove the attribute_escape calls. This is probably safe as
 when the group name is set, it is filtered with kses and
 force_balance_tags.

-- 
Ticket URL: <http://trac.buddypress.org/ticket/1657>
BuddyPress <http://buddypress.org/>
BuddyPress


More information about the buddypress-trac mailing list