[buddypress-trac] [BuddyPress] #925: Fix for double-escaped data in wp_bp_xprofile_fields

buddypress-trac at lists.automattic.com buddypress-trac at lists.automattic.com
Tue Aug 18 12:02:04 UTC 2009


#925: Fix for double-escaped data in wp_bp_xprofile_fields
--------------------+-------------------------------------------------------
Reporter:  swinton  |       Owner:     
    Type:  defect   |      Status:  new
Priority:  major    |   Milestone:     
Keywords:           |  
--------------------+-------------------------------------------------------
 There is an issue where double-escaped data is being inserted into the
 wp_bp_xprofile_fields table.

 To reproduce, create a new profile field whose title or description
 contains quotation marks.

 Currently this issue is worked around by passing the values through
 stripslashes() before the values are rendered (in the populate() method of
 BP_XProfile_Field).

 However, slashes are only stripped from the name and description
 attributes. It's possible that other attributes will have additional
 slashes in the database, e.g. the label for a checkbox option.

 The additional slashes are being added by $wpdb->prepare (in the save()
 method of BP_XProfile_Field). I believe the call to $wpdb->prepare can be
 safely replaced with a call to sprintf, since the data is already escaped
 by add_magic_quotes in wp-settings.php, lines 699-722.

 The attached patch replaces calls to $wpdb->prepare in the save() method
 of BP_XProfile_Field with equivalent sprintf calls, and with quoted %s
 tokens.

 The same has been done fot the BP_XProfile_ProfileData class.

 Calls to stripslashes have been removed from both the populate() methods
 of this class.

-- 
Ticket URL: <http://trac.buddypress.org/ticket/925>
BuddyPress <http://buddypress.org/>
BuddyPress


More information about the buddypress-trac mailing list