WordPress.org

Make WordPress Core


Ignore:
Timestamp:
12/13/2018 01:48:36 AM (23 months ago)
Author:
pento
Message:

Editor: Remove unwanted fields before saving posts.

The meta_input, file, and guid fields are not intended to be updated through user input.

Merges [44047] to the 4.4 branch.

Location:
branches/4.4
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.4

  • branches/4.4/src/wp-admin/includes/post.php

    r37807 r44062  
    177177
    178178/**
     179 * Returns only allowed post data fields
     180 *
     181 * @since 4.9.9
     182 *
     183 * @param array $post_data Array of post data. Defaults to the contents of $_POST.
     184 * @return object|bool WP_Error on failure, true on success.
     185 */
     186function _wp_get_allowed_postdata( $post_data = null ) {
     187    if ( empty( $post_data ) ) {
     188        $post_data = $_POST;
     189    }
     190
     191    // Pass through errors
     192    if ( is_wp_error( $post_data ) ) {
     193        return $post_data;
     194    }
     195
     196    return array_diff_key( $post_data, array_flip( array( 'meta_input', 'file', 'guid' ) ) );
     197}
     198
     199/**
    179200 * Update an existing post with values provided in $_POST.
    180201 *
     
    244265    if ( is_wp_error($post_data) )
    245266        wp_die( $post_data->get_error_message() );
     267    $translated = _wp_get_allowed_postdata( $post_data );
    246268
    247269    // Post Formats
     
    321343
    322344        /** This filter is documented in wp-admin/includes/media.php */
    323         $post_data = apply_filters( 'attachment_fields_to_save', $post_data, $attachment_data );
     345        $translated = apply_filters( 'attachment_fields_to_save', $translated, $attachment_data );
    324346    }
    325347
     
    366388            }
    367389
    368             $post_data['tax_input'][ $taxonomy ] = $clean_terms;
     390            $translated['tax_input'][ $taxonomy ] = $clean_terms;
    369391        }
    370392    }
     
    374396    update_post_meta( $post_ID, '_edit_last', get_current_user_id() );
    375397
    376     $success = wp_update_post( $post_data );
     398    $success = wp_update_post( $translated );
    377399    // If the save failed, see if we can sanity check the main fields and try again
    378400    if ( ! $success && is_callable( array( $wpdb, 'strip_invalid_text_for_column' ) ) ) {
     
    380402
    381403        foreach ( $fields as $field ) {
    382             if ( isset( $post_data[ $field ] ) ) {
    383                 $post_data[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $post_data[ $field ] );
     404            if ( isset( $translated[ $field ] ) ) {
     405                $translated[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $translated[ $field ] );
    384406            }
    385407        }
    386408
    387         wp_update_post( $post_data );
     409        wp_update_post( $translated );
    388410    }
    389411
     
    545567        }
    546568
     569        $post_data['post_ID']        = $post_ID;
    547570        $post_data['post_type'] = $post->post_type;
    548571        $post_data['post_mime_type'] = $post->post_mime_type;
    549         $post_data['guid'] = $post->guid;
    550572
    551573        foreach ( array( 'comment_status', 'ping_status', 'post_author' ) as $field ) {
     
    555577        }
    556578
    557         $post_data['ID'] = $post_ID;
    558         $post_data['post_ID'] = $post_ID;
    559 
    560579        $post_data = _wp_translate_postdata( true, $post_data );
    561580        if ( is_wp_error( $post_data ) ) {
     
    563582            continue;
    564583        }
     584        $post_data = _wp_get_allowed_postdata( $post_data );
    565585
    566586        $updated[] = wp_update_post( $post_data );
     
    573593        }
    574594
    575         if ( isset( $post_data['post_format'] ) )
    576             set_post_format( $post_ID, $post_data['post_format'] );
     595        if ( isset( $shared_post_data['post_format'] ) )
     596            set_post_format( $post_ID, $shared_post_data['post_format'] );
    577597    }
    578598
     
    755775    if ( is_wp_error($translated) )
    756776        return $translated;
     777    $translated = _wp_get_allowed_postdata( $translated );
    757778
    758779    // Create the post.
    759     $post_ID = wp_insert_post( $_POST );
     780    $post_ID = wp_insert_post( $translated );
    760781    if ( is_wp_error( $post_ID ) )
    761782        return $post_ID;
     
    16651686    if ( is_wp_error( $post_data ) )
    16661687        return $post_data;
     1688    $post_data = _wp_get_allowed_postdata( $post_data );
    16671689
    16681690    $post_author = get_current_user_id();
Note: See TracChangeset for help on using the changeset viewer.