[buddypress-trac] [BuddyPress] #1657: Double-escaping in groups_notification_group_invites() and other places

buddypress-trac at lists.automattic.com buddypress-trac at lists.automattic.com
Thu Jan 21 22:19:58 UTC 2010

#1657: Double-escaping in groups_notification_group_invites() and other places
Reporter:  DJPaul            |       Owner:     
    Type:  defect            |      Status:  new
Priority:  minor             |   Milestone:  1.2
Keywords:  encoding, groups  |  
 In groups_notification_group_invites() and possibly in other similar
 functions, the group name is being double-escaped. This was tested on
 1.1.3 but looks like it will affect trunk.  To recreate, just change the
 name of a group to something containing an apostrophe, i.e. "Bob's Famous

 Invite someone, and look at the text of that email. Those apostrophes will
 be escaped still.

 This is because the group names are being escaped by wpdb->prepare, and
 then they are used in this routine like so, causing a double-escape

 stripslashes( attribute_escape( $group->name ) )

 A fix is to remove the attribute_escape calls. This is probably safe as
 when the group name is set, it is filtered with kses and

Ticket URL: <http://trac.buddypress.org/ticket/1657>
BuddyPress <http://buddypress.org/>

More information about the buddypress-trac mailing list