[buddypress-trac] [BuddyPress Trac] #8094: The use of wp_filter_kses in getting BP xprofile textarea fields prevents an expanded html tag set

buddypress-trac noreply at wordpress.org
Mon May 13 23:21:21 UTC 2019 

#8094: The use of wp_filter_kses in getting BP xprofile textarea fields prevents
an expanded html tag set
--------------------------+-----------------------------
 Reporter:  rgilman       |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Core          |    Version:  4.3.0
 Severity:  normal        |   Keywords:
--------------------------+-----------------------------
 I'm using BP 4.30 and WP 5.2.

 To create the problem,
 1) open an xprofile textarea field for editing
 2) enter anything that includes the permitted tags for textareas from
 xprofile_filter_kses (line 124, bp-xprofile-filters.php) such as img, ul,
 ol, li, span or p.
 3) save the edit.

 On the save, those tags will be stripped out. For example, if you put in a
 bullet list, the bullets and indents will be removed after the save. Thus
 the purpose of xprofile_filter_kses for textareas is defeated.

 To be a bit more precise based on my debugging, the tags actually are
 saved into the database but stripped out as the edit area is refilled with
 a "get". It is in the get process that wp_filter_kses overrides
 xprofile_filter_kses.

 There is an easy "fix": Comment out line 19 in bp-xprofile-filters.php,
 thus not adding wp_filter_kses to bp_get_the_profile_field_edit_value()
 (line 593, bp-xprofile-template.php).

 I say "fix" because I don't know the full security implications of
 removing this filter from this function. Nevertheless, removing that
 filter allows the additional html tags to be saved and retrieved as
 intended.

 This issue appears to go back at least two years as illustrated in this
 support thread: https://buddypress.org/support/topic/image-not-saving-in-
 xprofile-textarea-field/

-- 
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/8094>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list