[buddypress-trac] [BuddyPress] #4058: Updating bp_latest_update uses wp_filter_kses hard coded
buddypress-trac at lists.automattic.com
buddypress-trac at lists.automattic.com
Sun Mar 11 15:23:54 UTC 2012
#4058: Updating bp_latest_update uses wp_filter_kses hard coded
-------------------------+--------------------
Reporter: wpdennis | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: 1.6
Component: Activity | Version: 1.5.4
Severity: minor | Resolution:
Keywords: has-patch |
-------------------------+--------------------
Comment (by boonebgorges):
> Is there any particular reason for using wp_filter_kses() instead of
bp_activity_filter_kses() what we use on other filters?
Good question. It looks like the manual call to wp_filter_kses() has been
there since the function was introduced in r2287. If we change it to use
bp_activity_filter_kses() instead, it will mean that a larger number of
tags will be allowed (like img, div, and span). And remember that the
value being stored with this call to bp_update_user_meta() is used to
display the user's latest update in the profile header. Allowing things
like images and divs in the profile header has the potential to be
problematic, as these elements could wreck the layout. I think that this
is probably a bad thing for most BP sites.
For this reason, I'm going to move the kses call to a filter, as in
4058.diff, and mark this ticket as resolved. Site owners who want to allow
full update content in the Latest Update area can unhook wp_filter_kses()
and hook bp_activity_filter_kses() themselves.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/4058#comment:4>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list