A project I'm working on required a user's signature be displayed on the user's blog posts (only on the page—not in blog teaser listings), and after much wrangling, I figured out how to put the 'Biography' (one of the user profile fields) into the nodes when they were viewed individually.
Here's the snippet (to be placed into node.tpl.php or node-blog.tpl.php):
<?php if (!$teaser): ?>
<?php $account = user_load(array('uid' => $node->uid)); if (!empty($account->profile_bio)) { ?>
<div class="blogger-bio"><?php print check_plain($account->profile_bio); ?></div>
<?php } ?>
<?php endif; ?>The code basically checks if the user's account has a bio filled out, and if so, it will place it at the end of the node if the node is viewed by itself (if it's not showing the teaser).
See comments below this post for some important security considerations and alternate options.
Bookmark/Search this post with:
Digg
StumbleUpon
Reddit
Facebook
Comments
XSS - Profile fields should not be output as is.
The profile_user 'load' op calls profile_load_profile to add fields to the user object.
<?phpfunction profile_load_profile(&$user) {
$result = db_query('SELECT f.name, f.type, v.value FROM {profile_fields} f INNER JOIN {profile_values} v ON f.fid = v.fid WHERE uid = %d', $user->uid);
while ($field = db_fetch_object($result)) {
if (empty($user->{$field->name})) {
$user->{$field->name} = _profile_field_serialize($field->type) ? unserialize($field->value) : $field->value;
}
}
}
?>
As you can see, the raw value of the entered text is added. Depending on the field type, you need to check_plain (or check_markup) the content before adding it to HTML.
See profile_view_profile() and profile_view_field()
PS: You may want to enable codefilter / geshi for Filtered HTML as well; this comment looks terrible.
Good catch! I was going to at
Good catch! I was going to at least do a check_plain on it, but since blogs are only enabled for a select subset of users (all working within the office), I didn't think it necessary. Of course, it's a good idea anyways ;-)
I haven't yet tried codefilter; I think I'll give it a shot (thanks!).
Check out my personal website: www.lifeisaprayer.com.
Text filtering cheat sheet
I suggest looking at the text filtering cheat sheet - http://crackingdrupal.com/blog/greggles/drupal-text-filtering-decision-c... - which helps you decide which filtering function to use. check_plain is inappropriate because the profile fields may contain html or rich text.
Please update the original post to include information about how to properly sanitize the text - otherwise people will read the post and not the comments and create holes in their sites.
Regarding the idea that "blogs are only enabled for a select subset of users" - many times security holes are introduced at a time when they can't be exploited and then a year or two later the site purpose changes and now you've got a real hole. It's better to do it right from the beginning.
check_plain can be perfectly
check_plain can be perfectly suited to escape a profile value. After all, we have different types of fields (eg textfield: check_plain, textarea: check_markup with FILTER_FORMAT_DEFAULT).
See profile_view_field() for what to do with a field.
I'd also like to support greggles point; if you fling example code onto the internet (and Planet), you have a moral obligation to make it secure code.
Thanks for that link! I have
Thanks for that link! I have added a check_plain() on the text, which should fix any possible security holes... I didn't consider the implications an insecure post on the planet, but will remember this for any more snippets I publish.
Check out my personal website: www.lifeisaprayer.com.
Post new comment