[buddypress-trac] [BuddyPress] #1657: Double-escaping in groups_notification_group_invites() and other places
buddypress-trac at lists.automattic.com
buddypress-trac at lists.automattic.com
Thu Jan 21 22:19:58 UTC 2010
#1657: Double-escaping in groups_notification_group_invites() and other places
-----------------------------+----------------------------------------------
Reporter: DJPaul | Owner:
Type: defect | Status: new
Priority: minor | Milestone: 1.2
Keywords: encoding, groups |
-----------------------------+----------------------------------------------
In groups_notification_group_invites() and possibly in other similar
functions, the group name is being double-escaped. This was tested on
1.1.3 but looks like it will affect trunk. To recreate, just change the
name of a group to something containing an apostrophe, i.e. "Bob's Famous
Tomatoes's".
Invite someone, and look at the text of that email. Those apostrophes will
be escaped still.
This is because the group names are being escaped by wpdb->prepare, and
then they are used in this routine like so, causing a double-escape
situation.
stripslashes( attribute_escape( $group->name ) )
A fix is to remove the attribute_escape calls. This is probably safe as
when the group name is set, it is filtered with kses and
force_balance_tags.
--
Ticket URL: <http://trac.buddypress.org/ticket/1657>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list