Skip to:
Content

bbPress.org

Changeset 6741


Ignore:
Timestamp:
11/17/2017 08:51:34 PM (8 years ago)
Author:
johnjamesjacoby
Message:

Anonymous: remove escaped placeholders from $where clause of duplicate check.

This change fixes a bug for versions of WordPress 4.8.3 and higher, that was causing the anonymous email comparison to use the placeholder text instead of the raw email address, but only when an email address contained a % character.

Also use the correct return variant, and make sure the output is escaped.

Location:
trunk/src/includes
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/includes/common/functions.php

    r6738 r6741  
    649649            // Set clauses
    650650            $join  = $clauses['join'];
    651             $where = $clauses['where'];
     651
     652            // "%" and "$" are valid characters
     653            $where = $bbp_db->remove_placeholder_escape( $clauses['where'] );
    652654        }
    653655    }
     
    660662
    661663    // Prepare duplicate check query
    662     $query  = $bbp_db->prepare( "SELECT ID FROM {$bbp_db->posts} {$join} WHERE post_type = %s AND post_status != %s AND post_author = %d AND post_content = %s {$where}", $r['post_type'], $r['post_status'], $r['post_author'], $r['post_content'] );
    663     $query .= ! empty( $r['post_parent'] ) ? $bbp_db->prepare( " AND post_parent = %d", $r['post_parent'] ) : '';
     664    $query  = "SELECT ID FROM {$bbp_db->posts} {$join}";
     665    $query  = $bbp_db->prepare( "WHERE post_type = %s AND post_status != %s AND post_author = %d AND post_content = %s", $r['post_type'], $r['post_status'], $r['post_author'], $r['post_content'] );
     666    $query .= ! empty( $r['post_parent'] )
     667        ? $bbp_db->prepare( " AND post_parent = %d", $r['post_parent'] )
     668        : '';
     669    $query .= $where;
    664670    $query .= " LIMIT 1";
    665671    $dupe   = apply_filters( 'bbp_check_for_duplicate_query', $query, $r );

  • trunk/src/includes/users/template.php

    r6737 r6741  
    815815 */
    816816function bbp_author_display_name( $post_id = 0 ) {
    817     echo bbp_get_author_display_name( $post_id );
     817    echo esc_attr( bbp_get_author_display_name( $post_id ) );
    818818}
    819819
     
    865865 */
    866866function bbp_author_email( $post_id = 0 ) {
    867     echo bbp_get_author_email( $post_id );
     867    echo esc_attr( bbp_get_author_email( $post_id ) );
    868868}
    869869
     
    896896        // Not an edit, so rely on current user cookie data
    897897        } else {
    898             $retval = bbp_current_anonymous_user_data( 'email' );
     898            $retval = bbp_get_current_anonymous_user_data( 'email' );
    899899        }
    900900
Note: See TracChangeset for help on using the changeset viewer.