Skip to:
Content

Ignore:
Timestamp:
06/09/2017 04:30:56 PM (14 months ago)
Author:
johnjamesjacoby
Message:

Users: Sanitize name, email, and website in bbp_filter_anonymous_post_data().

2.5 branch, for 2.5.13.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.5/includes/common/functions.php

    r6410 r6512  
    614614    // Parse arguments against default values
    615615    $r = bbp_parse_args( $args, array (
    616         'bbp_anonymous_name'    => !empty( $_POST['bbp_anonymous_name']    ) ? $_POST['bbp_anonymous_name']    : false,
    617         'bbp_anonymous_email'   => !empty( $_POST['bbp_anonymous_email']   ) ? $_POST['bbp_anonymous_email']  : false,
    618         'bbp_anonymous_website' => !empty( $_POST['bbp_anonymous_website'] ) ? $_POST['bbp_anonymous_website'] : false,
     616        'bbp_anonymous_name'    => !empty( $_POST['bbp_anonymous_name']    ) ? sanitize_text_field( $_POST['bbp_anonymous_name']    ) : false,
     617        'bbp_anonymous_email'   => !empty( $_POST['bbp_anonymous_email']   ) ? sanitize_email(      $_POST['bbp_anonymous_email']   ) : false,
     618        'bbp_anonymous_website' => !empty( $_POST['bbp_anonymous_website'] ) ? sanitize_text_field( $_POST['bbp_anonymous_website'] ) : false,
    619619    ), 'filter_anonymous_post_data' );
    620620
     
    679679        $clauses = get_meta_sql( array( array(
    680680            'key'   => '_bbp_anonymous_email',
    681             'value' => $r['anonymous_data']['bbp_anonymous_email']
     681            'value' => sanitize_email( $r['anonymous_data']['bbp_anonymous_email'] )
    682682        ) ), 'post', $wpdb->posts, 'ID' );
    683683
Note: See TracChangeset for help on using the changeset viewer.