[buddypress-trac] [BuddyPress] #925: Fix for double-escaped data in wp_bp_xprofile_fields
buddypress-trac at lists.automattic.com
buddypress-trac at lists.automattic.com
Tue Aug 18 12:02:04 UTC 2009
#925: Fix for double-escaped data in wp_bp_xprofile_fields
--------------------+-------------------------------------------------------
Reporter: swinton | Owner:
Type: defect | Status: new
Priority: major | Milestone:
Keywords: |
--------------------+-------------------------------------------------------
There is an issue where double-escaped data is being inserted into the
wp_bp_xprofile_fields table.
To reproduce, create a new profile field whose title or description
contains quotation marks.
Currently this issue is worked around by passing the values through
stripslashes() before the values are rendered (in the populate() method of
BP_XProfile_Field).
However, slashes are only stripped from the name and description
attributes. It's possible that other attributes will have additional
slashes in the database, e.g. the label for a checkbox option.
The additional slashes are being added by $wpdb->prepare (in the save()
method of BP_XProfile_Field). I believe the call to $wpdb->prepare can be
safely replaced with a call to sprintf, since the data is already escaped
by add_magic_quotes in wp-settings.php, lines 699-722.
The attached patch replaces calls to $wpdb->prepare in the save() method
of BP_XProfile_Field with equivalent sprintf calls, and with quoted %s
tokens.
The same has been done fot the BP_XProfile_ProfileData class.
Calls to stripslashes have been removed from both the populate() methods
of this class.
--
Ticket URL: <http://trac.buddypress.org/ticket/925>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list