[buddypress-trac] [BuddyPress Trac] #5971: Usage of wp_filter_kses is inconsistent for XProfile fields
buddypress-trac
noreply at wordpress.org
Wed Oct 29 11:53:17 UTC 2014
#5971: Usage of wp_filter_kses is inconsistent for XProfile fields
--------------------------+-----------------------------
Reporter: thomaslhotta | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: XProfile | Version: 2.1
Severity: normal | Keywords:
--------------------------+-----------------------------
In bp-xprofile-admin.php on line 246 {{{ wp_filter_kses }}} is applied to
the field description before saving. This is redundant as the
{{{xprofile_field_description_before_save}}} filter already has {{{
wp_filter_kses }}} attached. The same goes for the field name.
On the other hand {{{fieldtype}}} and {{{required}}} are ksesed in bp-
xprofile-admin.php but do not have {{{ wp_filter_kses }}} attached as a
filter.
Wouldn't it be better from an encapsulation perspective to do all the
input sanitizing in the {{{save}}} function of the {{{BP_XProfile_Field}}}
class?
Additionally this makes it just a little bit harder to use the
{{{wp_kses_allowed_html}}} filter to allow more html in the description as
one has to watch for 2 contexts.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/5971>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list