Skip to:
Content
Pages
Categories
Search
Top
Bottom

Prevent users from adding popup scripts

  • @thebigk

    Participant

    Hi,

    One of our users has added a script to his profile that pops up message window in browser every time his profile is visited.

    How can this be prevented?

Viewing 13 replies - 1 through 13 (of 13 total)
  • @thebigk

    Participant

    I noticed that the fields accept the HTML. Are the fields properly sanitized?

    @djpaul

    Keymaster

    As always: what version of BuddyPress are you running?

    @thebigk

    Participant

    RC1 :(

    I hope the RC2 & V1 have taken care of this problem.

    @djpaul

    Keymaster

    Burtadsit and I recall this coming up a few weeks ago. I can’t find any particular commit quickly but I’m sure something like this was fixed since RC1. Suggest you go into the DB and edit the offending item directly.

    @thebigk

    Participant

    But isn’t this very harmful? I guess scripts can be used to hack the site as well?

    @thebigk

    Participant

    The miscreant is using following script in the Group Name:

    <script>alert(‘XX – XX rocks !’)</script>

    Can someone suggest a quick fix for this?

    @burtadsit

    Participant

    Upgrade would be the best solution. In the mean time, in bp-groups-filters.php add this:

    add_filter( ‘bp_group_name’, ‘wp_filter_kses’, 1 );

    @thebigk

    Participant

    Hi Burtadsit – the user has added the same script to his profile as well. Can I add the code to profiles page too? If yes, what would be the code and where exactly do I add it?

    {PS: You are a rockstar! :) }

    @burtadsit

    Participant

    In bp-xprofile-filters.php:

    add_filter( ‘bp_the_profile_field_value’, ‘wp_filter_kses’, 1 );

    Once again upgrading will be the best solution.

    @burtadsit

    Participant

    This isn’t going to solve the problem completely. There has been a lot of added sanitization going on in bp. You really want to track these things down one by one?

    @thebigk

    Participant

    I’ll try it. I added the filter to groups page and the script does not appear when the group home page is visited. however, when loading the groups page [through the groups button], the script still appears

    PS: I’ll upgrade very soon.

    @thebigk

    Participant

    Hi Burtadsit : Yes, upgrade is the best option. I want few temporary fixes to keep few idiots in our network from being smart.

    @burtadsit

    Participant

    FYI those filter calls I suggested were pulled directly from current bp code. I didn’t invent these things. There’s lots more and stuff under the hood that isn’t so obvious also.

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘Prevent users from adding popup scripts’ is closed to new replies.
Skip to toolbar