| | 1731 | /** Sanitization **************************************************************/ |
| | 1732 | |
| | 1733 | /** |
| | 1734 | * Sanitize displayed user data, when viewing and editing any user. |
| | 1735 | * |
| | 1736 | * This somewhat monolithic function handles the escaping and sanitization of |
| | 1737 | * user data for a bbPress profile. There are two reasons this all happers here: |
| | 1738 | * |
| | 1739 | * 1. bbPress took a similar approach to WordPress, and funnels all user profile |
| | 1740 | * data through a central helper. This eventually calls sanitize_user_field() |
| | 1741 | * which applies a few context based filters, which some third party plugins |
| | 1742 | * might be relying on bbPress to play nicely with. |
| | 1743 | * |
| | 1744 | * 2. Early versions of bbPress 2.x templates did not escape this data meaning |
| | 1745 | * a backwards compatible approach like this one was necessary to protect |
| | 1746 | * existing installations that may have custom template parts. |
| | 1747 | * |
| | 1748 | * @since bbPress (rxxxx) |
| | 1749 | * |
| | 1750 | * @param string $value |
| | 1751 | * @param string $field |
| | 1752 | * @param string $context |
| | 1753 | * @return string |
| | 1754 | */ |
| | 1755 | function bbp_sanitize_displayed_user_field( $value = '', $field = '', $context = 'display' ) { |
| | 1756 | |
| | 1757 | // Bail if not editing or displaying (maybe we'll do more here later) |
| | 1758 | if ( ! in_array( $context, array( 'edit', 'display' ) ) ) { |
| | 1759 | return $value; |
| | 1760 | } |
| | 1761 | |
| | 1762 | // By default, no filter set (consider making this an array later) |
| | 1763 | $filter = false; |
| | 1764 | |
| | 1765 | // Big switch statement to decide which user field we're sanitizing and how |
| | 1766 | switch ( $field ) { |
| | 1767 | |
| | 1768 | // Description is a paragraph |
| | 1769 | case 'description' : |
| | 1770 | $filter = ( 'edit' === $context ) ? '' : 'wp_kses_data'; |
| | 1771 | break; |
| | 1772 | |
| | 1773 | // Email addresses are sanitized with a specific function |
| | 1774 | case 'user_email' : |
| | 1775 | $filter = 'sanitize_email'; |
| | 1776 | break; |
| | 1777 | |
| | 1778 | // Name & login fields |
| | 1779 | case 'user_login' : |
| | 1780 | case 'display_name' : |
| | 1781 | case 'first_name' : |
| | 1782 | case 'last_name' : |
| | 1783 | case 'nick_name' : |
| | 1784 | $filter = ( 'edit' === $context ) ? 'esc_attr' : 'esc_html'; |
| | 1785 | break; |
| | 1786 | |
| | 1787 | // wp-includes/default-filters.php escapes this for us via esc_url() |
| | 1788 | case 'user_url' : |
| | 1789 | break; |
| | 1790 | } |
| | 1791 | |
| | 1792 | // Run any applicable filters on the value |
| | 1793 | if ( ! empty( $filter ) ) { |
| | 1794 | $value = call_user_func( $filter, $value ); |
| | 1795 | } |
| | 1796 | |
| | 1797 | return $value; |
| | 1798 | } |
| | 1799 | |