Manually filter output of widgets

Previously, everything was running through esc_html(). However, this meant that HTML could not be passed though. Instead, we manually apply all of the xprofile filter callbacks, except esc_html(). This should provide enough security for now. In the future, may want to refactor this to use add_filter() callbacks or something more elegant.
cuny-academic-commons · Aug 30, 2013 · eec894c · eec894c
1 parent 0d20bb8
commit eec894c
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/includes/widget.php b/includes/widget.php
@@ -194,7 +194,24 @@ public function display_title_markup( $value ) {
 
 	// @todo use bp xprofile functions for formatting potential arrays, etc
 	public function display_content_markup( $value ) {
-		return apply_filters( 'bp_get_the_profile_field_value', $value );
+		// Hack for now
+		$value = wptexturize( $value );
+		$value = convert_chars( $value );
+		$value = wpautop( $value );
+		$value = force_balance_tags( $value );
+		$value = make_clickable( $value );
+		$value = convert_smilies( $value );
+		$value = xprofile_filter_kses( $value );
+
+		if ( function_exists( 'cpfb_filter_link_profile_data' ) ) {
+			$value = cpfb_filter_link_profile_data( $value );
+		}
+
+		if ( function_exists( 'cpfb_add_brackets' ) ) {
+			$value = cpfb_add_brackets( $value );
+		}
+
+		return $value;
 	}
 
 	public function edit_title_markup( $value, $key ) {