Changeset 5370

Timestamp:

06/06/2014 03:56:06 AM (11 years ago)

Author:

johnjamesjacoby

Message:

Introduce bbp_sanitize_displayed_user_field() function to handle the sanitizing of displayed user data, and add it to the bbp_get_displayed_user_field filter. Props mazengamal. See #2610 (2.5 branch).

Location:

branches/2.5/includes

Files:

• core/filters.php (modified) (1 diff)
• users/functions.php (modified) (1 diff)
• users/template.php (modified) (1 diff)

branches/2.5/includes/core/filters.php

@@ -183 +183 @@
 add_filter( 'bbp_get_topic_post_count',     'bbp_number_format', 10 );
 
+// Sanitize displayed user data
+add_filter( 'bbp_get_displayed_user_field', 'bbp_sanitize_displayed_user_field', 10, 3 );
+
 // Run wp_kses_data on topic/reply content in admin section
 if ( is_admin() ) {

branches/2.5/includes/users/functions.php

@@ -1604 +1604 @@
 }
 
+/** Sanitization **************************************************************/
+
+/**
+ * Sanitize displayed user data, when viewing and editing any user.
+ *
+ * This somewhat monolithic function handles the escaping and sanitization of
+ * user data for a bbPress profile. There are two reasons this all happers here:
+ *
+ * 1. bbPress took a similar approach to WordPress, and funnels all user profile
+ *    data through a central helper. This eventually calls sanitize_user_field()
+ *    which applies a few context based filters, which some third party plugins
+ *    might be relying on bbPress to play nicely with.
+ *
+ * 2. Early versions of bbPress 2.x templates did not escape this data meaning
+ *    a backwards compatible approach like this one was necessary to protect
+ *    existing installations that may have custom template parts.
+ *
+ * @since bbPress (r5368)
+ *
+ * @param string $value
+ * @param string $field
+ * @param string $context
+ * @return string
+ */
+function bbp_sanitize_displayed_user_field( $value = '', $field = '', $context = 'display' ) {
+
+    // Bail if not editing or displaying (maybe we'll do more here later)
+    if ( ! in_array( $context, array( 'edit', 'display' ) ) ) {
+        return $value;
+    }
+
+    // By default, no filter set (consider making this an array later)
+    $filter = false;
+
+    // Big switch statement to decide which user field we're sanitizing and how
+    switch ( $field ) {
+
+        // Description is a paragraph
+        case 'description' :
+            $filter = ( 'edit' === $context ) ? '' : 'wp_kses_data';
+            break;
+
+        // Email addresses are sanitized with a specific function
+        case 'user_email'  :
+            $filter = 'sanitize_email';
+            break;
+
+        // Name & login fields
+        case 'user_login'   :
+        case 'display_name' :
+        case 'first_name'   :
+        case 'last_name'    :
+        case 'nick_name'    :
+            $filter = ( 'edit' === $context ) ? 'esc_attr' : 'esc_html';
+            break;
+
+        // wp-includes/default-filters.php escapes this for us via esc_url()
+        case 'user_url' :
+            break;
+    }
+
+    // Run any applicable filters on the value
+    if ( ! empty( $filter ) ) {
+        $value = call_user_func( $filter, $value );
+    }
+
+    return $value;
+}
+
 /** Converter *****************************************************************/
 

branches/2.5/includes/users/template.php

@@ -157 +157 @@
 
         // Return empty
-        return apply_filters( 'bbp_get_displayed_user_field', $value, $field );
+        return apply_filters( 'bbp_get_displayed_user_field', $value, $field, $filter );
     }