Skip to:
Content

bbPress.org

Opened 12 years ago

Closed 11 years ago

Last modified 9 years ago

#1999 closed defect (bug) (fixed)

Use esc_ ...attr/html... _e() where appropriate

Reported by: johnjamesjacoby's profile johnjamesjacoby Owned by: johnjamesjacoby's profile johnjamesjacoby
Milestone: 2.4 Priority: normal
Severity: normal Version: 2.1
Component: Tools - Code Improvements Keywords:
Cc:

Description (last modified by johnjamesjacoby)

There are places where we used the typical __() and _e() functions. We should audit their usages, and use the escaping equivalents where it makes sense to.

Attachments (3)

form-user-edit.patch (1017 bytes) - added by alex-ye 11 years ago.
user-details.patch (900 bytes) - added by alex-ye 11 years ago.
users-template-tags.patch (1.2 KB) - added by alex-ye 11 years ago.

Download all attachments as: .zip

Change History (23)

#1 @johnjamesjacoby
12 years ago

  • Description modified (diff)

#2 @johnjamesjacoby
12 years ago

(In [4279]) Code Improvement:

  • Use esc_attr_e() in place of _e() is some obvious places.
  • See #1999.

#3 @johnjamesjacoby
12 years ago

(In [4281]) Code Improvement:

  • More politely cast arrays in settings sections and fields.
  • Use esc_html() on some admin strings. See #1999.
  • Clean up bbp_converter_setting_callback_platform().

#4 @johnjamesjacoby
12 years ago

  • Milestone changed from 2.2 to 2.3

Moving to 2.3 milestone. Not a blocker, and 2.2 is overdue.

#5 @johnjamesjacoby
12 years ago

  • Milestone changed from 2.3 to 2.4

Moving to 2.4. We can still iterate on this over time if we'd like to.

#6 @alex-ye
11 years ago

Done by the above patches:

  • Remove the use of esc_attr and sanitize_text_field from bbp_get_displayed_user_field() function.
  • Use the proper functions to escape the returned value in some uses of bbp_get_displayed_user_field().

There was a bug related to this when you enable some HTML in the user description, It was stripped out which makes hard to fix :)

I am not sure about the reason of using sanitize_text_field(), So I need dev feedback about this.

#7 @johnjamesjacoby
11 years ago

In 4950:

In admin, escape output of translated text where appropriate. Also review and refresh existing escaping approaches. See #1999.

#8 @johnjamesjacoby
11 years ago

In 4952:

Escape output of translation strings where appropriate. Refresh some escaping approaches. See #1999.

#9 @johnjamesjacoby
11 years ago

In 4958:

Use esc_html_e() in user template functions. See #1999.

#10 @johnjamesjacoby
11 years ago

In 4959:

Use esc_html_e() in extensions. See #1999.

#11 @alex-ye
11 years ago

jjj, not all the values returned from bbp_get_displayed_user_field() function are attributes, I vote to remove the escape function from bbp_get_displayed_user_field() and bbp_displayed_user_field() functions

#12 @johnjamesjacoby
11 years ago

In r4977:

Remove esc_attr() from bbp_get_displayed_user_field(), and practice late escaping where appropriate instead. See #1999.

#13 @alex-ye
11 years ago

Thanks jjj,

Can we remove the use of sanitize_text_field() function in the bbp_get_displayed_user_field() ?

it doesn't make sense for me, especially when we want to allow some HTML tags in the user bio.

#14 @johnjamesjacoby
11 years ago

In 4979:

Add $filter parameter and supporting phpdoc to bbp_displayed_user_field() && bbp_get_displayed_user_field() to allow more accurate sanitization of displayed user field values. Remove superfluous isset() check. Use 'edit' parameter in form-user-edit.php. See #1999.

#15 @johnjamesjacoby
11 years ago

In 4980:

Revert accidental test field change from r4979. See #1999.

#16 @johnjamesjacoby
11 years ago

In 4981:

Use raw user-data values in bbp_edit_user_handler(). See #1999.

#17 @johnjamesjacoby
11 years ago

In 4982:

Remove duplicate escaping from user-details.php, now that fields are automatically sanitized for display. See #1999.

#18 @johnjamesjacoby
11 years ago

In 4983:

Clean up bbp_get_displayed_user_field(). See #1999.

#19 @johnjamesjacoby
11 years ago

  • Resolution set to fixed
  • Status changed from new to closed

This seems pretty well cleaned up, so closing as fixed. Any ongoing enhancements here should reference this ticket.

#20 @johnjamesjacoby
9 years ago

In 5688:

Templates: Escape all gettext output in default template parts. See #1999.

Note: See TracTickets for help on using tickets.