Make WordPress Core


Ignore:
Timestamp:
12/13/2018 01:58:33 AM (6 years ago)
Author:
pento
Message:

Editor: Remove unwanted fields before saving posts.

The meta_input, file, and guid fields are not intended to be updated through user input.

Merges [44047] to the 3.9 branch.

Location:
branches/3.9
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/3.9

  • branches/3.9/src/wp-admin/includes/post.php

    r37820 r44072  
    177177
    178178/**
     179 * Returns only allowed post data fields
     180 *
     181 * @since 4.9.9
     182 *
     183 * @param array $post_data Array of post data. Defaults to the contents of $_POST.
     184 * @return object|bool WP_Error on failure, true on success.
     185 */
     186function _wp_get_allowed_postdata( $post_data = null ) {
     187    if ( empty( $post_data ) ) {
     188        $post_data = $_POST;
     189    }
     190
     191    // Pass through errors
     192    if ( is_wp_error( $post_data ) ) {
     193        return $post_data;
     194    }
     195
     196    return array_diff_key( $post_data, array_flip( array( 'meta_input', 'file', 'guid' ) ) );
     197}
     198
     199/**
    179200 * Update an existing post with values provided in $_POST.
    180201 *
     
    242263    if ( is_wp_error($post_data) )
    243264        wp_die( $post_data->get_error_message() );
     265    $translated = _wp_get_allowed_postdata( $post_data );
    244266
    245267    // Post Formats
     
    319341
    320342        /** This filter is documented in wp-admin/includes/media.php */
    321         $post_data = apply_filters( 'attachment_fields_to_save', $post_data, $attachment_data );
     343        $translated = apply_filters( 'attachment_fields_to_save', $translated, $attachment_data );
    322344    }
    323345
     
    326348    update_post_meta( $post_ID, '_edit_last', get_current_user_id() );
    327349
    328     $success = wp_update_post( $post_data );
     350    $success = wp_update_post( $translated );
    329351    // If the save failed, see if we can sanity check the main fields and try again
    330352    if ( ! $success && is_callable( array( $wpdb, 'strip_invalid_text_for_column' ) ) ) {
     
    332354
    333355        foreach( $fields as $field ) {
    334             if ( isset( $post_data[ $field ] ) ) {
    335                 $post_data[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $post_data[ $field ] );
     356            if ( isset( $translated[ $field ] ) ) {
     357                $translated[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $translated[ $field ] );
    336358            }
    337359        }
    338360
    339         wp_update_post( $post_data );
     361        wp_update_post( $translated );
    340362    }
    341363
     
    495517        }
    496518
     519        $post_data['post_ID']        = $post_ID;
    497520        $post_data['post_type'] = $post->post_type;
    498521        $post_data['post_mime_type'] = $post->post_mime_type;
    499         $post_data['guid'] = $post->guid;
    500522
    501523        foreach ( array( 'comment_status', 'ping_status', 'post_author' ) as $field ) {
     
    505527        }
    506528
    507         $post_data['ID'] = $post_ID;
    508         $post_data['post_ID'] = $post_ID;
    509 
    510529        $post_data = _wp_translate_postdata( true, $post_data );
    511530        if ( is_wp_error( $post_data ) ) {
     
    513532            continue;
    514533        }
     534        $post_data = _wp_get_allowed_postdata( $post_data );
    515535
    516536        $updated[] = wp_update_post( $post_data );
     
    523543        }
    524544
    525         if ( isset( $post_data['post_format'] ) )
    526             set_post_format( $post_ID, $post_data['post_format'] );
     545        if ( isset( $shared_post_data['post_format'] ) )
     546            set_post_format( $post_ID, $shared_post_data['post_format'] );
    527547    }
    528548
     
    702722    if ( is_wp_error($translated) )
    703723        return $translated;
     724    $translated = _wp_get_allowed_postdata( $translated );
    704725
    705726    // Create the post.
    706     $post_ID = wp_insert_post( $_POST );
     727    $post_ID = wp_insert_post( $translated );
    707728    if ( is_wp_error( $post_ID ) )
    708729        return $post_ID;
     
    15391560    if ( is_wp_error( $post_data ) )
    15401561        return $post_data;
     1562    $post_data = _wp_get_allowed_postdata( $post_data );
    15411563
    15421564    $post_author = get_current_user_id();
Note: See TracChangeset for help on using the changeset viewer.