XPROFILE textbox input not santized, so i added this…
been setting up a client using wp3.0.1 and bp 1.2.5, and doing a little testing and i noted that if you created a textbox xprofile field (say to collect zipcode) and put something in it like:
(script)bad stuff here;(/script)
–obviously using brackets, tho — the database would, lo and behold, not sanitize the input.
altho, in fairness, addslashes was added but script tags passed thru to the database, and the output was properly sanitized. that is, when you viewed someone’s profile, the xprofile field wouldnt show the script tags, just what was in between. however, i’m sure you agree, there is verrry few reasons for keeping literal script tags in the database store of user input — in fact i can’t think of one.
for proof: see db screenshot at http://mariochampion.com/images/xprofile_data_table.png or just give it a try yourself.
so, after some digging i found the where the xprofile fields are manipulated and added a little function to the bottom of my functions.php in plugins/buddypress/bp-themes/bp-default/functions.php to call wp_filter_kses() on the field value
if you are inclined:
just thought i’d give back a little.
You must be logged in to reply to this topic.