meta_form() should place some restrictions on meta keys
|Reported by:||nacin||Owned by:||nacin|
meta_form() echoes out all meta keys into a dropdown for the custom fields box, unless they start with an underscore (as bound by the query).
We should consider is_protected_meta( $key, 'post' ) and/or current_user_can( 'add_post_meta', $post->ID, $key ). This isn't a security thing, just an opportunity to hide some things from the user they don't need to see.
On the other hand, it's definitely a number of extra calculations. is_protected_meta() is light as long as there's no filter on things (and if there is, we probably want to know). current_user_can() might be a bit more weight than necessary here.
Change History (10)
- Keywords 3.7-early added
- Milestone changed from 3.6 to Future Release