From a0756f3e1b8c79242c607c49c2236abc687f433f Mon Sep 17 00:00:00 2001 From: Denis Baranov Date: Wed, 14 Mar 2018 10:01:13 +0200 Subject: [PATCH] - fixed cleaning on XSS injection for editing field "url" --- includes/core/um-filters-fields.php | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/includes/core/um-filters-fields.php b/includes/core/um-filters-fields.php index 8fdff6af..ac1439cc 100644 --- a/includes/core/um-filters-fields.php +++ b/includes/core/um-filters-fields.php @@ -477,7 +477,9 @@ function um_profile_field_filter_xss_validation( $value, $data, $type = '' ) { if( 'text' == $type && ! in_array( $data['validate'], array( 'unique_email' ) ) || 'password' == $type ) { $value = esc_attr( $value ); - } elseif ( 'textarea' == $type ){ + }elseif( $type == 'url' ) { + $value = esc_url( $value ); + } elseif ( 'textarea' == $type ){ $value = wp_kses_post( $value ); } } @@ -506,4 +508,19 @@ add_filter( 'um_profile_field_filter_hook__','um_profile_field_filter_xss_valida return $post_form; } - add_filter( 'um_submit_form_data', 'um_submit_form_data_role_fields', 10, 2 ); \ No newline at end of file + add_filter( 'um_submit_form_data', 'um_submit_form_data_role_fields', 10, 2 ); + + + /** + * Cleaning on XSS injection for url editing field + * @param $value string + * @param $key string + * + * @return string $value + * @uses hook filters: um_edit_url_field_value + */ + function um_edit_url_field_value( $value, $key ) { + $value = esc_attr($value); + return $value; + } + add_filter( 'um_edit_url_field_value', 'um_edit_url_field_value', 10, 2 ); \ No newline at end of file