Ticket #17850: 17850.17.diff

wp-admin/admin-ajax.php

@@ -869 +869 @@
                         die(__('Please provide a custom field value.'));
                 if ( !$meta = get_post_meta_by_id( $mid ) )
                         die('0'); // if meta doesn't exist
-                if ( is_protected_meta( $meta->meta_key, 'post' ) || !current_user_can( 'edit_post_meta', $meta->post_id, $meta->meta_key ) )
+                if ( is_protected_meta( $meta->meta_key, 'post' ) || is_protected_meta( $key, 'post' ) || !current_user_can( 'edit_post_meta', $meta->post_id, $meta->meta_key ) )
                         die('-1');
                 if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
                         if ( !$u = update_meta( $mid, $key, $value ) )

wp-admin/includes/post.php

@@ -665 +665 @@
         global $wpdb;
         $post_ID = (int) $post_ID;
 
-        $metakeyselect = isset($_POST['metakeyselect']) ? stripslashes( trim( $_POST['metakeyselect'] ) ) : '';
-        $metakeyinput = isset($_POST['metakeyinput']) ? stripslashes( trim( $_POST['metakeyinput'] ) ) : '';
-        $metavalue = isset($_POST['metavalue']) ? maybe_serialize( stripslashes_deep( $_POST['metavalue'] ) ) : '';
-        if ( is_string($metavalue) )
-                $metavalue = trim( $metavalue );
+        $metakeyselect = isset($_POST['metakeyselect']) ? trim( $_POST['metakeyselect'] ) : '';
+        $metakeyinput = isset($_POST['metakeyinput']) ? trim( $_POST['metakeyinput'] ) : '';
+        $metavalue = isset($_POST['metavalue']) ? $_POST['metavalue'] : '';
 
-        if ( ('0' === $metavalue || ! empty ( $metavalue ) ) && ((('#NONE#' != $metakeyselect) && !empty ( $metakeyselect) ) || !empty ( $metakeyinput) ) ) {
+        if ( ('0' === $metavalue || ! empty ( $metavalue ) ) && ( ( ( '#NONE#' != $metakeyselect ) && !empty ( $metakeyselect) ) || !empty ( $metakeyinput ) ) ) {
                 // We have a key/value pair. If both the select and the
                 // input for the key have data, the input takes precedence:
 
-                if ('#NONE#' != $metakeyselect)
+                if ( '#NONE#' != $metakeyselect )
                         $metakey = $metakeyselect;
 
-                if ( $metakeyinput)
+                if ( $metakeyinput )
                         $metakey = $metakeyinput; // default
 
                 if ( is_protected_meta( $metakey, 'post' ) || ! current_user_can( 'add_post_meta', $post_ID, $metakey ) )