Skip to:
Content

bbPress.org


Ignore:
Timestamp:
11/10/2014 05:37:29 PM (7 years ago)
Author:
johnjamesjacoby
Message:

Improve form field output sanitization when posting theme-side forum/topic/reply content. Thanks planetzuda. See #2719.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/includes/topics/template.php

    r5513 r5558  
    32663266
    32673267            // Post value is passed
    3268             if ( bbp_is_post_request() && isset( $_POST[ $r['select_id'] ] ) ) {
     3268            if ( bbp_is_topic_form_post_request() && isset( $_POST[ $r['select_id'] ] ) ) {
    32693269                $r['selected'] = $_POST[ $r['select_id'] ];
    32703270
     
    33553355
    33563356            // Post value is passed
    3357             if ( bbp_is_post_request() && isset( $_POST[ $r['select_id'] ] ) ) {
     3357            if ( bbp_is_topic_form_post_request() && isset( $_POST[ $r['select_id'] ] ) ) {
    33583358                $r['selected'] = $_POST[ $r['select_id'] ];
    33593359
     
    38493849
    38503850        // Get _POST data
    3851         if ( bbp_is_post_request() && isset( $_POST['bbp_topic_title'] ) ) {
    3852             $topic_title = $_POST['bbp_topic_title'];
     3851        if ( bbp_is_topic_form_post_request() && isset( $_POST['bbp_topic_title'] ) ) {
     3852            $topic_title = stripslashes( $_POST['bbp_topic_title'] );
    38533853
    38543854        // Get edit data
     
    38863886
    38873887        // Get _POST data
    3888         if ( bbp_is_post_request() && isset( $_POST['bbp_topic_content'] ) ) {
     3888        if ( bbp_is_topic_form_post_request() && isset( $_POST['bbp_topic_content'] ) ) {
    38893889            $topic_content = stripslashes( $_POST['bbp_topic_content'] );
    38903890
     
    39333933
    39343934        // Get _POST data
    3935         if ( bbp_is_post_request() && isset( $_POST['bbp_topic_tags'] ) ) {
    3936             $topic_tags = $_POST['bbp_topic_tags'];
     3935        if ( ( bbp_is_topic_form_post_request() || bbp_is_reply_form_post_request() ) && isset( $_POST['bbp_topic_tags'] ) ) {
     3936            $topic_tags = stripslashes( $_POST['bbp_topic_tags'] );
    39373937
    39383938        // Get edit data
     
    40164016
    40174017        // Get _POST data
    4018         if ( bbp_is_post_request() && isset( $_POST['bbp_forum_id'] ) ) {
     4018        if ( bbp_is_topic_form_post_request() && isset( $_POST['bbp_forum_id'] ) ) {
    40194019            $topic_forum = (int) $_POST['bbp_forum_id'];
    40204020
     
    40564056
    40574057        // Get _POST data
    4058         if ( bbp_is_post_request() && isset( $_POST['bbp_topic_subscription'] ) ) {
     4058        if ( bbp_is_topic_form_post_request() && isset( $_POST['bbp_topic_subscription'] ) ) {
    40594059            $topic_subscribed = (bool) $_POST['bbp_topic_subscription'];
    40604060
     
    41114111
    41124112        // Get _POST data
    4113         if ( bbp_is_post_request() && isset( $_POST['bbp_log_topic_edit'] ) ) {
    4114             $topic_revision = (int) $_POST['bbp_log_topic_edit'];
     4113        if ( bbp_is_topic_form_post_request() && isset( $_POST['bbp_log_topic_edit'] ) ) {
     4114            $topic_revision = (bool) $_POST['bbp_log_topic_edit'];
    41154115
    41164116        // No data
    41174117        } else {
    4118             $topic_revision = 1;
     4118            $topic_revision = true;
    41194119        }
    41204120
     
    41474147
    41484148        // Get _POST data
    4149         if ( bbp_is_post_request() && isset( $_POST['bbp_topic_edit_reason'] ) ) {
    4150             $topic_edit_reason = $_POST['bbp_topic_edit_reason'];
     4149        if ( bbp_is_topic_form_post_request() && isset( $_POST['bbp_topic_edit_reason'] ) ) {
     4150            $topic_edit_reason = stripslashes( $_POST['bbp_topic_edit_reason'] );
    41514151
    41524152        // No data
     
    41554155        }
    41564156
    4157         return apply_filters( 'bbp_get_form_topic_edit_reason', esc_attr( $topic_edit_reason ) );
    4158     }
     4157        return apply_filters( 'bbp_get_form_topic_edit_reason', $topic_edit_reason );
     4158    }
     4159
     4160/**
     4161 * Verify if a POST request came from a failed topic attempt.
     4162 *
     4163 * Used to avoid cross-site request forgeries when checking posted topic form
     4164 * content.
     4165 *
     4166 * @see bbp_topic_form_fields()
     4167 *
     4168 * @since bbPress (r5558)
     4169 * @return boolean True if is a post request with valid nonce
     4170 */
     4171function bbp_is_topic_form_post_request() {
     4172
     4173    // Bail if not a post request
     4174    if ( ! bbp_is_post_request() ) {
     4175        return false;
     4176    }
     4177
     4178    // Creating a new topic
     4179    if ( bbp_verify_nonce_request( 'bbp-new-topic' ) ) {
     4180        return true;
     4181    }
     4182
     4183    // Editing an existing topic
     4184    if ( bbp_verify_nonce_request( 'bbp-edit-topic' ) ) {
     4185        return true;
     4186    }
     4187
     4188    return false;
     4189}
Note: See TracChangeset for help on using the changeset viewer.