| 1731 | /** Sanitization **************************************************************/ |
| 1732 | |
| 1733 | /** |
| 1734 | * Sanitize displayed user data, when viewing and editing any user. |
| 1735 | * |
| 1736 | * This somewhat monolithic function handles the escaping and sanitization of |
| 1737 | * user data for a bbPress profile. There are two reasons this all happers here: |
| 1738 | * |
| 1739 | * 1. bbPress took a similar approach to WordPress, and funnels all user profile |
| 1740 | * data through a central helper. This eventually calls sanitize_user_field() |
| 1741 | * which applies a few context based filters, which some third party plugins |
| 1742 | * might be relying on bbPress to play nicely with. |
| 1743 | * |
| 1744 | * 2. Early versions of bbPress 2.x templates did not escape this data meaning |
| 1745 | * a backwards compatible approach like this one was necessary to protect |
| 1746 | * existing installations that may have custom template parts. |
| 1747 | * |
| 1748 | * @since bbPress (rxxxx) |
| 1749 | * |
| 1750 | * @param string $value |
| 1751 | * @param string $field |
| 1752 | * @param string $context |
| 1753 | * @return string |
| 1754 | */ |
| 1755 | function bbp_sanitize_displayed_user_field( $value = '', $field = '', $context = 'display' ) { |
| 1756 | |
| 1757 | // Bail if not editing or displaying (maybe we'll do more here later) |
| 1758 | if ( ! in_array( $context, array( 'edit', 'display' ) ) ) { |
| 1759 | return $value; |
| 1760 | } |
| 1761 | |
| 1762 | // By default, no filter set (consider making this an array later) |
| 1763 | $filter = false; |
| 1764 | |
| 1765 | // Big switch statement to decide which user field we're sanitizing and how |
| 1766 | switch ( $field ) { |
| 1767 | |
| 1768 | // Description is a paragraph |
| 1769 | case 'description' : |
| 1770 | $filter = ( 'edit' === $context ) ? '' : 'wp_kses_data'; |
| 1771 | break; |
| 1772 | |
| 1773 | // Email addresses are sanitized with a specific function |
| 1774 | case 'user_email' : |
| 1775 | $filter = 'sanitize_email'; |
| 1776 | break; |
| 1777 | |
| 1778 | // Name & login fields |
| 1779 | case 'user_login' : |
| 1780 | case 'display_name' : |
| 1781 | case 'first_name' : |
| 1782 | case 'last_name' : |
| 1783 | case 'nick_name' : |
| 1784 | $filter = ( 'edit' === $context ) ? 'esc_attr' : 'esc_html'; |
| 1785 | break; |
| 1786 | |
| 1787 | // wp-includes/default-filters.php escapes this for us via esc_url() |
| 1788 | case 'user_url' : |
| 1789 | break; |
| 1790 | } |
| 1791 | |
| 1792 | // Run any applicable filters on the value |
| 1793 | if ( ! empty( $filter ) ) { |
| 1794 | $value = call_user_func( $filter, $value ); |
| 1795 | } |
| 1796 | |
| 1797 | return $value; |
| 1798 | } |
| 1799 | |