I went into the data base and deleted it, but this wont stop people from injecting malicous code into “unsanatised” user fields…
If you haven\’t altered any of the profile filtering mechanisms then the js will get removed. It gets filtered out by the standard wp filters which get run on the profile fields. The profile fields don\’t show up in the wp backend. If you have a user trying to insert js into a profile field I would delete that user. Now.
What version of bp are you running? I see all sorts of filtering going on in trunk.
bp-xprofile-filters.php
User fields are sanitized if you are using the standard BuddyPress template tags or function calls.
Hi Burtadsit
I am using Core: 1.0-RC1 / Profile: 1.0-RC1 / Messages: 1.0-RC1 / Blogs: 1.0-RC1 / Friends: 1.0-RC1 / Groups: 1.0-RC1 / Activity: 1.0-RC1 / Wire: 1.0-RC1 / Forums: 1.0-RC1 /
The base profile is fine, its when you add more user profile boxes like \”Age\” for an example.
The guy that entered it did it to show how vunrable it is,he then sent me a message to let me know. I havent altered any of the filtering mechanisms.
I am using the standard BuddyPress template aswell
I’ve added filters on these values now. Since only the site administrator has access to this, I can’t qualify this as a major security risk.
Any data entered or created by any other user is filtered.
One way I can stop this when adding more user profile boxes is to only use tick boxes, I guess that would work for users to select their age instead of having the user type it in.
Thanks for all of your help, Its much appreciated
Sorry to be a pain but how do I add the filters to the values you said above. Is there a patch or should I just re-download the script and re-install it.
thanks
If you\’re using SVN then update it with that, if not, then download from this zip and overwrite your files:
https://trac.buddypress.org/changeset/1280/trunk?old_path=%2F&format=zip
Hello again.. After I overwrote the files. My register page will not show up if somebody tries to register. The bp-core-signup.php is in wp/mu-plugins/bp-core folder.I Have no idea why the signup page wont show now when it was fine before.
Thanks
I don’t know what rev of bp you were using before but things have changed in that rev. The member theme are now located in /wp-content/bp-themes. See the readme in the bp-themes dir in that zip. Make sure you update the themes also.
Ok thanks once again.. Will do that now..You guys are stars
I think Im gonna have to do a complete re-install I have moved and updated the themes and now Iam getting an error on the home page
Fatal error: Cannot redeclare bp_core_signup_set_headers() (previously declared in /home/xxxxxx/public_html/wp-content/mu-plugins/bp-core-signup.php:4) in /home/xxxxxx/public_html/wp-content/mu-plugins/bp-core/bp-core-signup.php on line 11
Just to let you know everything is now working fine.I did not have to do a complete re-install. I for some reason had the signup-php in the mu-plugins and in the bp-core..lol It was all my fault… Im.tired well thats my excuse anyway …
Thanks again for all of your help
Hey Halfpint , I’m getting the same error as you when I try to activate the facebuddy theme..
I’ve looked in the locations you stated above but I only have the bp core signup.php only in bp-core directory , and not in mu-plugins or anywhere else that I can see.
Any help is greatly appreciated. 
Thanks,
Jenny
