Skip to:
Content
Pages
Categories
Search
Top
Bottom

Prevent users from adding popup scripts

  • Avatar of Thebigk
    thebigk
    Participant

    @thebigk

    Hi,

    One of our users has added a script to his profile that pops up message window in browser every time his profile is visited.

    How can this be prevented?

Viewing 13 replies - 1 through 13 (of 13 total)
  • Avatar of Thebigk
    thebigk
    Participant

    @thebigk

    I noticed that the fields accept the HTML. Are the fields properly sanitized?

    As always: what version of BuddyPress are you running?

    Avatar of Thebigk
    thebigk
    Participant

    @thebigk

    RC1 :(

    I hope the RC2 & V1 have taken care of this problem.

    Burtadsit and I recall this coming up a few weeks ago. I can’t find any particular commit quickly but I’m sure something like this was fixed since RC1. Suggest you go into the DB and edit the offending item directly.

    Avatar of Thebigk
    thebigk
    Participant

    @thebigk

    But isn’t this very harmful? I guess scripts can be used to hack the site as well?

    Avatar of Thebigk
    thebigk
    Participant

    @thebigk

    The miscreant is using following script in the Group Name:

    <script>alert(‘XX – XX rocks !’)</script>

    Can someone suggest a quick fix for this?

    Avatar of Burt Adsit
    Burt Adsit
    Participant

    @burtadsit

    Upgrade would be the best solution. In the mean time, in bp-groups-filters.php add this:

    add_filter( ‘bp_group_name’, ‘wp_filter_kses’, 1 );

    Avatar of Thebigk
    thebigk
    Participant

    @thebigk

    Hi Burtadsit – the user has added the same script to his profile as well. Can I add the code to profiles page too? If yes, what would be the code and where exactly do I add it?

    {PS: You are a rockstar! :) }

    Avatar of Burt Adsit
    Burt Adsit
    Participant

    @burtadsit

    In bp-xprofile-filters.php:

    add_filter( ‘bp_the_profile_field_value’, ‘wp_filter_kses’, 1 );

    Once again upgrading will be the best solution.

    Avatar of Burt Adsit
    Burt Adsit
    Participant

    @burtadsit

    This isn’t going to solve the problem completely. There has been a lot of added sanitization going on in bp. You really want to track these things down one by one?

    Avatar of Thebigk
    thebigk
    Participant

    @thebigk

    I’ll try it. I added the filter to groups page and the script does not appear when the group home page is visited. however, when loading the groups page [through the groups button], the script still appears

    PS: I’ll upgrade very soon.

    Avatar of Thebigk
    thebigk
    Participant

    @thebigk

    Hi Burtadsit : Yes, upgrade is the best option. I want few temporary fixes to keep few idiots in our network from being smart.

    Avatar of Burt Adsit
    Burt Adsit
    Participant

    @burtadsit

    FYI those filter calls I suggested were pulled directly from current bp code. I didn’t invent these things. There’s lots more and stuff under the hood that isn’t so obvious also.

Viewing 13 replies - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.