Make WordPress Core


Ignore:
Timestamp:
03/02/2024 02:11:53 PM (11 months ago)
Author:
swissspidy
Message:

Editor: do not expose protected post meta fields in block bindings.

Ignores meta keys which are considered protected or not registered to be shown in the REST API. Adds tests.

Props santosguillamot, swissspidy, gziolo, xknown, peterwilsoncc.
Fixes #60651.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/block-bindings/post-meta.php

    r57641 r57754  
    3535    }
    3636
     37    // Check if the meta field is protected.
     38    if ( is_protected_meta( $source_args['key'], 'post' ) ) {
     39        return null;
     40    }
     41
     42    // Check if the meta field is registered to be shown in REST.
     43    $meta_keys = get_registered_meta_keys( 'post', $block_instance->context['postType'] );
     44    // Add fields registered for all subtypes.
     45    $meta_keys = array_merge( $meta_keys, get_registered_meta_keys( 'post', '' ) );
     46    if ( empty( $meta_keys[ $source_args['key'] ]['show_in_rest'] ) ) {
     47        return null;
     48    }
     49
    3750    return get_post_meta( $post_id, $source_args['key'], true );
    3851}
Note: See TracChangeset for help on using the changeset viewer.