[buddypress-trac] [BuddyPress] #3409: Posting PHP code into activity update creates a blank update

buddypress-trac at lists.automattic.com buddypress-trac at lists.automattic.com
Sat Jul 30 11:07:07 UTC 2011 

#3409: Posting PHP code into activity update creates a blank update
-------------------------+-----------------------
 Reporter:  InterMike    |       Owner:
     Type:  defect       |      Status:  reopened
 Priority:  minor        |   Milestone:  1.6
Component:  Activity     |     Version:  1.5
 Severity:  minor        |  Resolution:
 Keywords:  2nd-opinion  |
-------------------------+-----------------------
Changes (by boonebgorges):

 * status:  closed => reopened
 * severity:  normal => minor
 * priority:  normal => minor
 * milestone:  Awaiting Review => 1.6
 * keywords:   => 2nd-opinion
 * resolution:  wontfix =>


Comment:

 Confirmed. This is also an issue with group forum posts.

 There are a couple of things happening here. First, the code is being
 removed altogether by kses. We could debate whether it would be better to
 escape the '<?php' and '?>' delimiters, and display the content as plain
 text. It seems to me that this would be better behavior from the user
 point of view, as long as we can maintain security. I'm not sure whether
 this method is compatible with kses (we might have to run our own filters
 first?).

 Second, the reason why it's posting an empty activity update is that the
 filters are being run *right before* the content is saved, in the
 BP_Activity_Activity::save() method. This is probably too late, IMO.
 That's because we allow for some activity items with empty 'content' (such
 as 'Boone and Mike are now friends'), so we can't put a check in the
 save() method itself that refuses to post if 'content' is empty. That
 check should be done (and is, in fact, done) further upstream (for
 instance in bp_activity_post_update()), but it happens before the kses
 filters are applied.

 So there are a few solutions:
 - write our own replacement for kses that escapes rather than strips the
 content
 - move the kses filters way upstream, into the individual component
 activity functions
 - introduce a $allow_null_content parameter to the bp_activity_add()
 chain, which would allow us to fail immediately before saving when no
 content is left by the filter when appropriate.

 This is not a 1.5 regression; the 1.2 branch has the same issue. So it's
 not urgent.

-- 
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/3409#comment:2>
BuddyPress <http://buddypress.org/>
BuddyPress

More information about the buddypress-trac mailing list