| 1 | Index: wp-admin/admin-ajax.php |
|---|
| 2 | =================================================================== |
|---|
| 3 | --- wp-admin/admin-ajax.php (revision 18448) |
|---|
| 4 | +++ wp-admin/admin-ajax.php (working copy) |
|---|
| 5 | @@ -869,7 +869,7 @@ |
|---|
| 6 | die(__('Please provide a custom field value.')); |
|---|
| 7 | if ( !$meta = get_post_meta_by_id( $mid ) ) |
|---|
| 8 | die('0'); // if meta doesn't exist |
|---|
| 9 | - if ( is_protected_meta( $meta->meta_key, 'post' ) || !current_user_can( 'edit_post_meta', $meta->post_id, $meta->meta_key ) ) |
|---|
| 10 | + if ( is_protected_meta( $meta->meta_key, 'post' ) || is_protected_meta( $key, 'post' ) || !current_user_can( 'edit_post_meta', $meta->post_id, $meta->meta_key ) ) |
|---|
| 11 | die('-1'); |
|---|
| 12 | if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) { |
|---|
| 13 | if ( !$u = update_meta( $mid, $key, $value ) ) |
|---|
| 14 | Index: wp-admin/includes/post.php |
|---|
| 15 | =================================================================== |
|---|
| 16 | --- wp-admin/includes/post.php (revision 18448) |
|---|
| 17 | +++ wp-admin/includes/post.php (working copy) |
|---|
| 18 | @@ -667,24 +667,26 @@ |
|---|
| 19 | |
|---|
| 20 | $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : ''; |
|---|
| 21 | $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : ''; |
|---|
| 22 | - $metavalue = isset($_POST['metavalue']) ? maybe_serialize( stripslashes_deep( $_POST['metavalue'] ) ) : ''; |
|---|
| 23 | - if ( is_string($metavalue) ) |
|---|
| 24 | + $metavalue = isset($_POST['metavalue']) ? $_POST['metavalue'] : ''; |
|---|
| 25 | + if ( is_string( $metavalue ) ) |
|---|
| 26 | $metavalue = trim( $metavalue ); |
|---|
| 27 | |
|---|
| 28 | - if ( ('0' === $metavalue || ! empty ( $metavalue ) ) && ((('#NONE#' != $metakeyselect) && !empty ( $metakeyselect) ) || !empty ( $metakeyinput) ) ) { |
|---|
| 29 | + if ( ('0' === $metavalue || ! empty ( $metavalue ) ) && ( ( ( '#NONE#' != $metakeyselect ) && !empty ( $metakeyselect) ) || !empty ( $metakeyinput ) ) ) { |
|---|
| 30 | // We have a key/value pair. If both the select and the |
|---|
| 31 | // input for the key have data, the input takes precedence: |
|---|
| 32 | |
|---|
| 33 | - if ('#NONE#' != $metakeyselect) |
|---|
| 34 | + if ( '#NONE#' != $metakeyselect ) |
|---|
| 35 | $metakey = $metakeyselect; |
|---|
| 36 | |
|---|
| 37 | - if ( $metakeyinput) |
|---|
| 38 | + if ( $metakeyinput ) |
|---|
| 39 | $metakey = $metakeyinput; // default |
|---|
| 40 | |
|---|
| 41 | if ( is_protected_meta( $metakey, 'post' ) || ! current_user_can( 'add_post_meta', $post_ID, $metakey ) ) |
|---|
| 42 | return false; |
|---|
| 43 | |
|---|
| 44 | - return add_post_meta($post_ID, $metakey, $metavalue); |
|---|
| 45 | + $metakey = esc_sql( $metakey ); |
|---|
| 46 | + |
|---|
| 47 | + return add_post_meta( $post_ID, $metakey, $metavalue ); |
|---|
| 48 | } |
|---|
| 49 | |
|---|
| 50 | return false; |
|---|
