[buddypress-trac] [BuddyPress Trac] #8404: Html code injection buddypress.org
buddypress-trac
noreply at wordpress.org
Fri Nov 27 15:56:38 UTC 2020
#8404: Html code injection buddypress.org
----------------------------------+------------------------------
Reporter: zeldatea | Owner: johnjamesjacoby
Type: defect (bug) | Status: accepted
Priority: high | Milestone: 6.4.0
Component: BuddyPress.org Sites | Version:
Severity: minor | Resolution:
Keywords: has-patch |
----------------------------------+------------------------------
Comment (by johnjamesjacoby):
In [changeset:"12806" 12806]:
{{{
#!CommitTicketReference repository="" revision="12806"
XProfile: only allow "style" attributes in richtext fields for capable
users
This commit prevents non-capable users from adding style attributes to
"span" and "p" elements in their profile fields, which could be used in
unintended ways relative to when it was introduced in #5625.
Note that this could be considered a backwards compatibility break. If you
are a site owner or developer who relied on this functionality, you will
want to use the `xprofile_allowed_tags` filter to re-enable these
attributes.
In trunk for 7.0. See #8404.
}}}
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/8404#comment:4>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list