I noticed that the fields accept the HTML. Are the fields properly sanitized?
As always: what version of BuddyPress are you running?
RC1 
I hope the RC2 & V1 have taken care of this problem.
Burtadsit and I recall this coming up a few weeks ago. I can’t find any particular commit quickly but I’m sure something like this was fixed since RC1. Suggest you go into the DB and edit the offending item directly.
But isn’t this very harmful? I guess scripts can be used to hack the site as well?
The miscreant is using following script in the Group Name:
<script>alert(‘XX – XX rocks !’)</script>
Can someone suggest a quick fix for this?
Upgrade would be the best solution. In the mean time, in bp-groups-filters.php add this:
add_filter( ‘bp_group_name’, ‘wp_filter_kses’, 1 );
Hi Burtadsit – the user has added the same script to his profile as well. Can I add the code to profiles page too? If yes, what would be the code and where exactly do I add it?
{PS: You are a rockstar! 
}
In bp-xprofile-filters.php:
add_filter( ‘bp_the_profile_field_value’, ‘wp_filter_kses’, 1 );
Once again upgrading will be the best solution.
This isn’t going to solve the problem completely. There has been a lot of added sanitization going on in bp. You really want to track these things down one by one?
I’ll try it. I added the filter to groups page and the script does not appear when the group home page is visited. however, when loading the groups page [through the groups button], the script still appears
PS: I’ll upgrade very soon.
Hi Burtadsit : Yes, upgrade is the best option. I want few temporary fixes to keep few idiots in our network from being smart.
FYI those filter calls I suggested were pulled directly from current bp code. I didn’t invent these things. There’s lots more and stuff under the hood that isn’t so obvious also.
