[buddypress-trac] [BuddyPress Trac] #8404: Html code injection buddypress.org

buddypress-trac noreply at wordpress.org
Fri Nov 27 15:56:38 UTC 2020

#8404: Html code injection buddypress.org
 Reporter:  zeldatea              |       Owner:  johnjamesjacoby
     Type:  defect (bug)          |      Status:  accepted
 Priority:  high                  |   Milestone:  6.4.0
Component:  BuddyPress.org Sites  |     Version:
 Severity:  minor                 |  Resolution:
 Keywords:  has-patch             |

Comment (by johnjamesjacoby):

 In [changeset:"12806" 12806]:
 #!CommitTicketReference repository="" revision="12806"
 XProfile: only allow "style" attributes in richtext fields for capable

 This commit prevents non-capable users from adding style attributes to
 "span" and "p" elements in their profile fields, which could be used in
 unintended ways relative to when it was introduced in #5625.

 Note that this could be considered a backwards compatibility break. If you
 are a site owner or developer who relied on this functionality, you will
 want to use the `xprofile_allowed_tags` filter to re-enable these

 In trunk for 7.0. See #8404.

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/8404#comment:4>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list