WordPress.org

Make WordPress Core

Changeset 25591


Ignore:
Timestamp:
09/24/2013 01:30:31 AM (8 years ago)
Author:
nacin
Message:

Ignore unauthorized meta keys in meta_form(). fixes #18786.

Location:
trunk/src/wp-admin/includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/meta-boxes.php

    r25083 r25591  
    507507}
    508508list_meta( $metadata );
    509 meta_form(); ?>
     509meta_form( $post ); ?>
    510510</div>
    511511<p><?php _e('Custom fields can be used to add extra metadata to a post that you can <a href="http://codex.wordpress.org/Using_Custom_Fields" target="_blank">use in your theme</a>.'); ?></p>
  • trunk/src/wp-admin/includes/template.php

    r25472 r25591  
    501501
    502502/**
    503  * {@internal Missing Short Description}}
     503 * Prints the form in the Custom Fields meta box.
    504504 *
    505505 * @since 1.2.0
    506  */
    507 function meta_form() {
     506 *
     507 * @param WP_Post $post Optional. The post being edited.
     508 */
     509function meta_form( $post = null ) {
    508510    global $wpdb;
     511    $post = get_post( $post );
    509512    $limit = (int) apply_filters( 'postmeta_form_limit', 30 );
    510513    $keys = $wpdb->get_col( "
     
    536539
    537540    foreach ( $keys as $key ) {
    538         if ( is_protected_meta( $key, 'post' ) )
     541        if ( is_protected_meta( $key, 'post' ) || ! current_user_can( 'add_post_meta', $post->ID, $key ) )
    539542            continue;
    540543        echo "\n<option value='" . esc_attr($key) . "'>" . esc_html($key) . "</option>";
Note: See TracChangeset for help on using the changeset viewer.