Changeset 4979

Timestamp:

06/04/2013 04:42:44 AM (13 years ago)

Author:

johnjamesjacoby

Message:

Add $filter parameter and supporting phpdoc to bbp_displayed_user_field() && bbp_get_displayed_user_field() to allow more accurate sanitization of displayed user field values. Remove superfluous isset() check. Use 'edit' parameter in form-user-edit.php. See #1999.

Location:

trunk

Files:

• includes/users/template-tags.php (modified) (1 diff)
• templates/default/bbpress/form-user-edit.php (modified) (6 diffs)

trunk/includes/users/template-tags.php

@@ -110 +110 @@
  * Output a sanitized user field value
  *
+ * This function relies on the $filter parameter to decide how to sanitize
+ * the field value that it finds. Since it uses the WP_User object's magic
+ * __get() method, it can also be used to get user_meta values.
+ *
  * @since bbPress (r2688)
  *
  * @param string $field Field to get
+ * @param string $filter How to filter the field value (null|raw|db|display|edit)
  * @uses bbp_get_displayed_user_field() To get the field
  */
-function bbp_displayed_user_field( $field = '' ) {
-    echo bbp_get_displayed_user_field( $field );
+function bbp_displayed_user_field( $field = '', $filter = 'display' ) {
+    echo bbp_get_displayed_user_field( $field, $filter );
 }
     /**
      * Return a sanitized user field value
      *
+     * This function relies on the $filter parameter to decide how to sanitize
+     * the field value that it finds. Since it uses the WP_User object's magic
+     * __get() method, it can also be used to get user_meta values.
+     *
      * @since bbPress (r2688)
      *
      * @param string $field Field to get
-     * @uses sanitize_text_field() To sanitize the field
-     * @uses esc_attr() To sanitize the field
+     * @param string $filter How to filter the field value (null|raw|db|display|edit)
+     * @see WP_User::__get() for more on how the value is retrieved
+     * @see sanitize_user_field() for more on how the value is sanitized
      * @uses apply_filters() Calls 'bbp_get_displayed_user_field' with the value
      * @return string|bool Value of the field if it exists, else false
      */
-    function bbp_get_displayed_user_field( $field = '' ) {
-        $bbp   = bbpress();
-        $value = false;
-
-        // Return field if exists
-        if ( isset( $bbp->displayed_user->$field ) )
-            $value = sanitize_text_field( $bbp->displayed_user->$field );
+    function bbp_get_displayed_user_field( $field = '', $filter = 'display' ) {
+        $bbp = bbpress();
+
+        // Juggle the user filter property because it's byref, and we don't want
+        // to muck up how other code might interact with this object.
+        $old_filter                  = $bbp->displayed_user->filter;
+        $bbp->displayed_user->filter = $filter;
+
+        // Get the field value from the WP_User object. We don't need to perform
+        // an isset() because the WP_User::__get() does it for us.
+        $value = $bbp->displayed_user->$field;
+
+        // Put back the user filter property that was previously juggled above.
+        $bbp->displayed_user->filter = $old_filter;
+
+        // Clean up the temporary variable
+        unset( $old_filter );
 
         // Return empty

trunk/templates/default/bbpress/form-user-edit.php

@@ -23 +23 @@
         <div>
             <label for="first_name"><?php _e( 'First Name', 'bbpress' ) ?></label>
-            <input type="text" name="first_name" id="first_name" value="<?php bbp_displayed_user_field( 'first_name' ); ?>" class="regular-text" tabindex="<?php bbp_tab_index(); ?>" />
+            <input type="text" name="first_name" id="first_name" value="<?php bbp_displayed_user_field( 'first_name', 'edit' ); ?>" class="regular-text" tabindex="<?php bbp_tab_index(); ?>" />
         </div>
 
         <div>
             <label for="last_name"><?php _e( 'Last Name', 'bbpress' ) ?></label>
-            <input type="text" name="last_name" id="last_name" value="<?php bbp_displayed_user_field( 'last_name' ); ?>" class="regular-text" tabindex="<?php bbp_tab_index(); ?>" />
+            <input type="text" name="last_name" id="last_name" value="<?php bbp_displayed_user_field( 'last_name', 'edit' ); ?>" class="regular-text" tabindex="<?php bbp_tab_index(); ?>" />
         </div>
 
         <div>
             <label for="nickname"><?php _e( 'Nickname', 'bbpress' ); ?></label>
-            <input type="text" name="nickname" id="nickname" value="<?php bbp_displayed_user_field( 'nickname' ); ?>" class="regular-text" tabindex="<?php bbp_tab_index(); ?>" />
+            <input type="text" name="nickname" id="nickname" value="<?php bbp_displayed_user_field( 'nickname', 'edit' ); ?>" class="regular-text" tabindex="<?php bbp_tab_index(); ?>" />
         </div>
 
@@ -56 +56 @@
         <div>
             <label for="url"><?php _e( 'Website', 'bbpress' ) ?></label>
-            <input type="text" name="url" id="url" value="<?php bbp_displayed_user_field( 'user_url' ); ?>" class="regular-text code" tabindex="<?php bbp_tab_index(); ?>" />
+            <input type="text" name="url" id="url" value="<?php bbp_displayed_user_field( 'user_url', 'edit' ); ?>" class="regular-text code" tabindex="<?php bbp_tab_index(); ?>" />
         </div>
 
@@ -81 +81 @@
         <div>
             <label for="description"><?php _e( 'Biographical Info', 'bbpress' ); ?></label>
-            <textarea name="description" id="description" rows="5" cols="30" tabindex="<?php bbp_tab_index(); ?>"><?php echo esc_attr( bbp_get_displayed_user_field( 'description' ) ); ?></textarea>
+            <textarea name="description" id="description" rows="5" cols="30" tabindex="<?php bbp_tab_index(); ?>"><?php echo bbp_get_displayed_user_field( 'stuff', 'edit' ); ?></textarea>
         </div>
 
@@ -97 +97 @@
         <div>
             <label for="user_login"><?php _e( 'Username', 'bbpress' ); ?></label>
-            <input type="text" name="user_login" id="user_login" value="<?php bbp_displayed_user_field( 'user_login' ); ?>" disabled="disabled" class="regular-text" tabindex="<?php bbp_tab_index(); ?>" />
+            <input type="text" name="user_login" id="user_login" value="<?php bbp_displayed_user_field( 'user_login', 'edit' ); ?>" disabled="disabled" class="regular-text" tabindex="<?php bbp_tab_index(); ?>" />
         </div>
 
@@ -103 +103 @@
             <label for="email"><?php _e( 'Email', 'bbpress' ); ?></label>
 
-            <input type="text" name="email" id="email" value="<?php bbp_displayed_user_field( 'user_email' ); ?>" class="regular-text" tabindex="<?php bbp_tab_index(); ?>" />
+            <input type="text" name="email" id="email" value="<?php bbp_displayed_user_field( 'user_email', 'edit' ); ?>" class="regular-text" tabindex="<?php bbp_tab_index(); ?>" />
 
             <?php
@@ -109 +109 @@
             // Handle address change requests
             $new_email = get_option( bbp_get_displayed_user_id() . '_new_email' );
-            if ( $new_email && $new_email != bbp_get_displayed_user_field( 'user_email' ) ) : ?>
+            if ( $new_email && $new_email != bbp_get_displayed_user_field( 'user_email', 'edit' ) ) : ?>
 
                 <span class="updated inline">