Skip to:
Content
Pages
Categories
Search
Top
Bottom

XPROFILE textbox input not santized, so i added this…

  • Avatar of mariochampion
    mariochampion
    Participant

    @mariochampion

    hey all:

    been setting up a client using wp3.0.1 and bp 1.2.5, and doing a little testing and i noted that if you created a textbox xprofile field (say to collect zipcode) and put something in it like:
    (script)bad stuff here;(/script)
    –obviously using brackets, tho — the database would, lo and behold, not sanitize the input.

    really.

    altho, in fairness, addslashes was added but script tags passed thru to the database, and the output was properly sanitized. that is, when you viewed someone’s profile, the xprofile field wouldnt show the script tags, just what was in between. however, i’m sure you agree, there is verrry few reasons for keeping literal script tags in the database store of user input — in fact i can’t think of one.

    for proof: see db screenshot at http://mariochampion.com/images/xprofile_data_table.png or just give it a try yourself.

    so, after some digging i found the where the xprofile fields are manipulated and added a little function to the bottom of my functions.php in plugins/buddypress/bp-themes/bp-default/functions.php to call wp_filter_kses() on the field value

    if you are inclined:
    http://pastebin.com/GaYZTCq9

    just thought i’d give back a little.
    adios
    mario

Viewing 2 replies - 1 through 2 (of 2 total)
  • Avatar of Paul Gibbs
    Paul Gibbs
    Keymaster

    @djpaul

    You win a prize! Good spot, and thanks. I’ve taken the liberty of filing a bug reported and have attached a patch based on your findings.

    http://trac.buddypress.org/ticket/2603/

    Avatar of mariochampion
    mariochampion
    Participant

    @mariochampion

    woohoo, and happy to help where i could!

    and, ya know, reading the tracticket i see a comment about making it conditional to textbox types only. i actually spent a bit of time trying to figure that out, but, i didnt know how to pass the right $this->type value from the object in the BP_XPROFILE_somethingortheother class without adding a line to that file. that is, i couldnt seem to get to it from add_actions/add_filter permutations… so i hoped that wp_filter_kses() would gracefully handle radio btns, checkboxes, etc

    thanks to all yall for so much good work.
    adios
    mario

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.