Skip to:
Content

bbPress.org


Ignore:
Timestamp:
11/10/2014 05:37:29 PM (7 years ago)
Author:
johnjamesjacoby
Message:

Improve form field output sanitization when posting theme-side forum/topic/reply content. Thanks planetzuda. See #2719.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/includes/forums/template.php

    r5501 r5558  
    21852185
    21862186        // Get _POST data
    2187         if ( bbp_is_post_request() && isset( $_POST['bbp_forum_title'] ) ) {
     2187        if ( bbp_is_forum_form_post_request() && isset( $_POST['bbp_forum_title'] ) ) {
    21882188            $forum_title = $_POST['bbp_forum_title'];
    21892189
     
    22222222
    22232223        // Get _POST data
    2224         if ( bbp_is_post_request() && isset( $_POST['bbp_forum_content'] ) ) {
     2224        if ( bbp_is_forum_form_post_request() && isset( $_POST['bbp_forum_content'] ) ) {
    22252225            $forum_content = stripslashes( $_POST['bbp_forum_content'] );
    22262226
     
    22602260
    22612261        // Get _POST data
    2262         if ( bbp_is_post_request() && isset( $_POST['bbp_forum_id'] ) ) {
     2262        if ( bbp_is_forum_form_post_request() && isset( $_POST['bbp_forum_id'] ) ) {
    22632263            $forum_parent = $_POST['bbp_forum_id'];
    22642264
     
    22982298
    22992299        // Get _POST data
    2300         if ( bbp_is_post_request() && isset( $_POST['bbp_forum_type'] ) ) {
     2300        if ( bbp_is_forum_form_post_request() && isset( $_POST['bbp_forum_type'] ) ) {
    23012301            $forum_type = $_POST['bbp_forum_type'];
    23022302
     
    23362336
    23372337        // Get _POST data
    2338         if ( bbp_is_post_request() && isset( $_POST['bbp_forum_visibility'] ) ) {
     2338        if ( bbp_is_forum_form_post_request() && isset( $_POST['bbp_forum_visibility'] ) ) {
    23392339            $forum_visibility = $_POST['bbp_forum_visibility'];
    23402340
     
    23782378
    23792379        // Get _POST data
    2380         if ( bbp_is_post_request() && isset( $_POST['bbp_forum_subscription'] ) ) {
     2380        if ( bbp_is_forum_form_post_request() && isset( $_POST['bbp_forum_subscription'] ) ) {
    23812381            $forum_subscribed = (bool) $_POST['bbp_forum_subscription'];
    23822382
     
    24652465
    24662466            // Post value is passed
    2467             if ( bbp_is_post_request() && isset( $_POST[ $r['select_id'] ] ) ) {
     2467            if ( bbp_is_forum_form_post_request() && isset( $_POST[ $r['select_id'] ] ) ) {
    24682468                $r['selected'] = $_POST[ $r['select_id'] ];
    24692469
     
    25572557
    25582558            // Post value is passed
    2559             if ( bbp_is_post_request() && isset( $_POST[ $r['select_id'] ] ) ) {
     2559            if ( bbp_is_forum_form_post_request() && isset( $_POST[ $r['select_id'] ] ) ) {
    25602560                $r['selected'] = $_POST[ $r['select_id'] ];
    25612561
     
    26492649
    26502650            // Post value is passed
    2651             if ( bbp_is_post_request() && isset( $_POST[ $r['select_id'] ] ) ) {
     2651            if ( bbp_is_forum_form_post_request() && isset( $_POST[ $r['select_id'] ] ) ) {
    26522652                $r['selected'] = $_POST[ $r['select_id'] ];
    26532653
     
    26882688        return apply_filters( 'bbp_get_form_forum_type_dropdown', ob_get_clean(), $r );
    26892689    }
     2690
     2691/**
     2692 * Verify if a POST request came from a failed forum attempt.
     2693 *
     2694 * Used to avoid cross-site request forgeries when checking posted forum form
     2695 * content.
     2696 *
     2697 * @see bbp_forum_form_fields()
     2698 *
     2699 * @since bbPress (r5558)
     2700 * @return boolean True if is a post request with valid nonce
     2701 */
     2702function bbp_is_forum_form_post_request() {
     2703
     2704    // Bail if not a post request
     2705    if ( ! bbp_is_post_request() ) {
     2706        return false;
     2707    }
     2708
     2709    // Creating a new topic
     2710    if ( bbp_verify_nonce_request( 'bbp-new-forum' ) ) {
     2711        return true;
     2712    }
     2713
     2714    // Editing an existing topic
     2715    if ( bbp_verify_nonce_request( 'bbp-edit-forum' ) ) {
     2716        return true;
     2717    }
     2718
     2719    return false;
     2720}
    26902721
    26912722/** Feeds *********************************************************************/
Note: See TracChangeset for help on using the changeset viewer.