Proper output escaping #4
Comments
|
Addressed here: 6eed651 |
|
Looking good |
|
Because of this change 6eed651#diff-510c3663aa41187468817522a3a7c765R123 - when markup is in the content or body of a post, it is escaped in the duplicate posts resulting in this:
Is there a reason the escaping is necessary here or is this a bug? |
|
Hi @modelm - Thanks for the ticket. It looks like a bug; I'd noted in that changeset that content should not be output-escaped on the way into the database, but it looks like it was never rolled out. See https://github.com/cuny-academic-commons/bp-multiple-forum-post/blob/master/bp-multiple-forum-post.php#L142 @rjbaniel Could you have a look? Be sure to test with rich-text content. |
|
OK - I have already removed the esc_attr() for title & content in our fork, so if that's the only required change and you want a PR just let me know. |
|
Yup, I'm pretty sure that's all that's required.
…On 12/30/2016 01:30 PM, Ryan Williams wrote:
OK - I have already removed the esc_attr() for title & content in our
fork, so if that's the only required change and you want a PR just let
me know.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#4 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAPDYyQvqMOh3f7j6J3k73Rt6BgdSgUqks5rNVvLgaJpZM4HfMDQ>.
|
I noticed a number of places where user-generated content - like group names - is displayed on the front end, without being escaped. Let's fix this. Rules of thumb:
esc_html()for text that's echoed in such a way that it's displayed as the content of a HTML element (eg:<h2><?php echo esc_html( $group->name ); ?></h2>)esc_attr()for text that needs to be sanitized for use in element attributes (eg<input name="foo" value="<?php echo esc_attr( $group->slug ); ?>">)esc_url()for URLs, pretty much whenever they need to be echoed to the screen (there are exceptions where it's better to useesc_url_raw()- see https://kovshenin.com/2012/esc_url-vs-esc_url_raw/)The text was updated successfully, but these errors were encountered: