Changeset 6063 for branches/2.5/includes/users/template.php

Timestamp:

07/13/2016 03:11:43 PM (9 years ago)

Author:

johnjamesjacoby

Message:

Escape display_name field usages in bbp_get_author_link(). (2.5 branch)

File:

• branches/2.5/includes/users/template.php (modified) (3 diffs)

branches/2.5/includes/users/template.php

@@ -1653 +1653 @@
 
             // Assemble some link bits
-            $link_title = !empty( $r['link_title'] ) ? ' title="' . $r['link_title'] . '"' : '';
-            $anonymous  = bbp_is_reply_anonymous( $r['post_id'] );
+            $link_title = !empty( $r['link_title'] )
+                ? ' title="' . esc_attr( $r['link_title'] ) . '"'
+                : '';
+
+            $anonymous = bbp_is_reply_anonymous( $r['post_id'] );
 
             // Get avatar
@@ -1663 +1666 @@
             // Get display name
             if ( 'name' === $r['type'] || 'both' === $r['type'] ) {
-                $author_links[] = get_the_author_meta( 'display_name', $user_id );
+                $author_links[] = esc_html( get_the_author_meta( 'display_name', $user_id ) );
             }
 
@@ -1670 +1673 @@
                 $author_url = bbp_get_user_profile_url( $user_id );
                 foreach ( $author_links as $link_text ) {
-                    $author_link[] = sprintf( '<a href="%1$s"%2$s>%3$s</a>', $author_url, $link_title, $link_text );
+                    $author_link[] = sprintf( '<a href="%1$s"%2$s>%3$s</a>', esc_url( $author_url ), $link_title, $link_text );
                 }
                 $author_link = implode( '&nbsp;', $author_link );