[buddypress-trac] [BuddyPress] #2986: Form General Settings - Fields are not escaped
buddypress-trac at lists.automattic.com
buddypress-trac at lists.automattic.com
Fri Dec 31 11:37:55 UTC 2010
#2986: Form General Settings - Fields are not escaped
-----------------------+-----------------------------
Reporter: calvin_42 | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Core | Version: 1.2.6
Keywords: |
-----------------------+-----------------------------
Option names bp-xprofile-base-group-name and bp-xprofile-fullname-field-
name are not stored into the DB in html, which means quotes are escaped
with a \.
Enter the value ''Informations "TEST"'' for the bp-xprofile-base-group-
name value, and save the form. Try the same for the bp-xprofile-fullname-
field-name value.
When displayed, the HTML is the following :
{{{
<input name="bp-admin[bp-xprofile-base-group-name]" id="bp-xprofile-base-
group-name" value="Informations \" ok\"">
}}}
which cannot be displayed correctly by the browser.
The PHP code to display this form is currently
([http://trac.buddypress.org/browser/tags/1.2.7/bp-core/bp-core-
admin.php#L48 Link]) :
{{{
<input name="bp-admin[bp-xprofile-base-group-name]" id="bp-xprofile-base-
group-name" value="<?php echo get_site_option('bp-xprofile-base-group-
name') ?>" />
}}}
To be displayed correctly it should be replaced by :
{{{
<input name="bp-admin[bp-xprofile-base-group-name]" id="bp-xprofile-base-
group-name" value="<?php echo get_form_site_option('bp-xprofile-base-
group-name') ?>" />
function get_form_site_option( $option ) {
return apply_filters( 'get_form_site_option', get_site_option( $option )
);
}
add_filter( 'get_form_site_option', 'stripslashes' );
add_filter( 'get_form_site_option', 'esc_attr' );
}}}
--
Ticket URL: <https://trac.buddypress.org/ticket/2986>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list