[buddypress-trac] [BuddyPress Trac] #8404: Html code injection buddypress.org
buddypress-trac
noreply at wordpress.org
Fri Nov 27 16:03:52 UTC 2020
#8404: Html code injection buddypress.org
----------------------------------+------------------------------
Reporter: zeldatea | Owner: johnjamesjacoby
Type: defect (bug) | Status: closed
Priority: high | Milestone: 6.4.0
Component: BuddyPress.org Sites | Version:
Severity: minor | Resolution: fixed
Keywords: has-patch |
----------------------------------+------------------------------
Changes (by johnjamesjacoby):
* status: accepted => closed
* resolution: => fixed
Comment:
In [changeset:"12807" 12807]:
{{{
#!CommitTicketReference repository="" revision="12807"
XProfile: only allow "style" attributes in richtext fields for capable
users
This commit prevents non-capable users from adding style attributes to
"span" and "p" elements in their profile fields, which could be used in
unintended ways relative to when it was introduced in #5625.
Note that this could be considered a backwards compatibility break. If you
are a site owner or developer who relied on this functionality, you will
want to use the `xprofile_allowed_tags` filter to re-enable these
attributes.
In branches/6.0 for 6.4.0. Fixes #8404.
Props imath, zeldatea.
}}}
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/8404#comment:5>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list