Skip to:
Content

bbPress.org


Ignore:
Timestamp:
05/28/2020 11:40:56 AM (5 years ago)
Author:
johnjamesjacoby
Message:

Forums: Escape forum descriptions in admin-area list tables.

This commit ensures that HTML is not rendered where it is not intended to be, most important to users having the unfiltered_html capability.

Props binit.

In trunk, for 2.7.0.

See #3374.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/includes/admin/forums.php

    r7006 r7084  
    636636        }
    637637
    638         // simple hack to show the forum description under the title
    639         bbp_forum_content( $forum->ID );
     638        // Only show content if user can read it and there is no password
     639        if ( current_user_can( 'read_forum', $forum->ID ) && ! post_password_required( $forum ) ) {
     640
     641            // Get the forum description
     642            $content = bbp_get_forum_content( $forum->ID );
     643
     644            // Only proceed if there is a description
     645            if ( ! empty( $content ) ) {
     646                echo '<div class="bbp-escaped-content">' . esc_html( wp_trim_excerpt( $content, $forum ) ) . '</div>';
     647            }
     648        }
    640649
    641650        // Sort & return
Note: See TracChangeset for help on using the changeset viewer.