id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
18786,meta_form() should place some restrictions on meta keys,nacin,,"meta_form() echoes out all meta keys into a dropdown for the custom fields box, unless they start with an underscore (as bound by the query).

We should consider is_protected_meta( $key, 'post' ) and/or current_user_can( 'add_post_meta', $post->ID, $key ). This isn't a security thing, just an opportunity to hide some things from the user they don't need to see.

On the other hand, it's definitely a number of extra calculations. is_protected_meta() is light as long as there's no filter on things (and if there is, we probably want to know). current_user_can() might be a bit more weight than necessary here.",enhancement,new,normal,Future Release,Administration,,normal,,2nd-opinion 3.7-early,