[buddypress-trac] [BuddyPress Trac] #6707: Member - Settings - Email - radio buttons
buddypress-trac
noreply at wordpress.org
Sun Nov 1 13:04:18 UTC 2015
#6707: Member - Settings - Email - radio buttons
----------------------------------+-----------------------------
Reporter: slaFFik | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Component - Settings | Version:
Severity: normal | Keywords:
----------------------------------+-----------------------------
Seems, BuddyPress trusts radio-buttons values on save, which is not good.
Just change the value field of any checked radio button, and click save -
in my case `yes-or-no` was saved successfully into DB.
In source code we have:
{{{
foreach ( (array) $_POST['notifications'] as $key => $value ) {
bp_update_user_meta( (int) bp_displayed_user_id(), $key, $value );
}
}}}
So any js script or user can pass any string. I believe this is a bad
approach, when application doesn't control the data that is saved.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/6707>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list