[buddypress-trac] [BuddyPress Trac] #6707: Member - Settings - Email - radio buttons

buddypress-trac noreply at wordpress.org
Sun Nov 1 13:04:18 UTC 2015

#6707: Member - Settings - Email - radio buttons
 Reporter:  slaFFik               |      Owner:
     Type:  defect (bug)          |     Status:  new
 Priority:  normal                |  Milestone:  Awaiting Review
Component:  Component - Settings  |    Version:
 Severity:  normal                |   Keywords:
 Seems, BuddyPress trusts radio-buttons values on save, which is not good.
 Just change the value field of any checked radio button, and click save -
 in my case `yes-or-no` was saved successfully into DB.

 In source code we have:

 foreach ( (array) $_POST['notifications'] as $key => $value ) {
         bp_update_user_meta( (int) bp_displayed_user_id(), $key, $value );

 So any js script or user can pass any string. I believe this is a bad
 approach, when application doesn't control the data that is saved.

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/6707>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list