Editor: Remove unwanted fields before saving posts.
The meta_input, file, and guid fields are not intended to be updated through user input. Merges [44047] to trunk. Built from https://develop.svn.wordpress.org/trunk@44295 git-svn-id: http://core.svn.wordpress.org/trunk@44125 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
desrosj
parent
8cb7058273
commit
43bdb0e193
|
|
@ -2262,7 +2262,11 @@ function wp_ajax_upload_attachment() {
|
||||||
$post_id = null;
|
$post_id = null;
|
||||||
}
|
}
|
||||||
|
|
||||||
$post_data = isset( $_REQUEST['post_data'] ) ? $_REQUEST['post_data'] : array();
|
$post_data = ! empty( $_REQUEST['post_data'] ) ? _wp_get_allowed_postdata( _wp_translate_postdata( false, (array) $_REQUEST['post_data'] ) ) : array();
|
||||||
|
|
||||||
|
if ( is_wp_error( $post_data ) ) {
|
||||||
|
wp_die( $post_data->get_error_message() );
|
||||||
|
}
|
||||||
|
|
||||||
// If the context is custom header or background, make sure the uploaded file is an image.
|
// If the context is custom header or background, make sure the uploaded file is an image.
|
||||||
if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ) ) ) {
|
if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ) ) ) {
|
||||||
|
|
|
||||||
|
|
@ -195,6 +195,27 @@ function _wp_translate_postdata( $update = false, $post_data = null ) {
|
||||||
return $post_data;
|
return $post_data;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns only allowed post data fields
|
||||||
|
*
|
||||||
|
* @since 4.9.9
|
||||||
|
*
|
||||||
|
* @param array $post_data Array of post data. Defaults to the contents of $_POST.
|
||||||
|
* @return object|bool WP_Error on failure, true on success.
|
||||||
|
*/
|
||||||
|
function _wp_get_allowed_postdata( $post_data = null ) {
|
||||||
|
if ( empty( $post_data ) ) {
|
||||||
|
$post_data = $_POST;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Pass through errors
|
||||||
|
if ( is_wp_error( $post_data ) ) {
|
||||||
|
return $post_data;
|
||||||
|
}
|
||||||
|
|
||||||
|
return array_diff_key( $post_data, array_flip( array( 'meta_input', 'file', 'guid' ) ) );
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Update an existing post with values provided in $_POST.
|
* Update an existing post with values provided in $_POST.
|
||||||
*
|
*
|
||||||
|
|
@ -273,6 +294,7 @@ function edit_post( $post_data = null ) {
|
||||||
if ( is_wp_error( $post_data ) ) {
|
if ( is_wp_error( $post_data ) ) {
|
||||||
wp_die( $post_data->get_error_message() );
|
wp_die( $post_data->get_error_message() );
|
||||||
}
|
}
|
||||||
|
$translated = _wp_get_allowed_postdata( $post_data );
|
||||||
|
|
||||||
// Post Formats
|
// Post Formats
|
||||||
if ( isset( $post_data['post_format'] ) ) {
|
if ( isset( $post_data['post_format'] ) ) {
|
||||||
|
|
@ -362,7 +384,7 @@ function edit_post( $post_data = null ) {
|
||||||
$attachment_data = isset( $post_data['attachments'][ $post_ID ] ) ? $post_data['attachments'][ $post_ID ] : array();
|
$attachment_data = isset( $post_data['attachments'][ $post_ID ] ) ? $post_data['attachments'][ $post_ID ] : array();
|
||||||
|
|
||||||
/** This filter is documented in wp-admin/includes/media.php */
|
/** This filter is documented in wp-admin/includes/media.php */
|
||||||
$post_data = apply_filters( 'attachment_fields_to_save', $post_data, $attachment_data );
|
$translated = apply_filters( 'attachment_fields_to_save', $translated, $attachment_data );
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert taxonomy input to term IDs, to avoid ambiguity.
|
// Convert taxonomy input to term IDs, to avoid ambiguity.
|
||||||
|
|
@ -371,7 +393,7 @@ function edit_post( $post_data = null ) {
|
||||||
$tax_object = get_taxonomy( $taxonomy );
|
$tax_object = get_taxonomy( $taxonomy );
|
||||||
|
|
||||||
if ( $tax_object && isset( $tax_object->meta_box_sanitize_cb ) ) {
|
if ( $tax_object && isset( $tax_object->meta_box_sanitize_cb ) ) {
|
||||||
$post_data['tax_input'][ $taxonomy ] = call_user_func_array( $tax_object->meta_box_sanitize_cb, array( $taxonomy, $terms ) );
|
$translated['tax_input'][ $taxonomy ] = call_user_func_array( $tax_object->meta_box_sanitize_cb, array( $taxonomy, $terms ) );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -380,18 +402,18 @@ function edit_post( $post_data = null ) {
|
||||||
|
|
||||||
update_post_meta( $post_ID, '_edit_last', get_current_user_id() );
|
update_post_meta( $post_ID, '_edit_last', get_current_user_id() );
|
||||||
|
|
||||||
$success = wp_update_post( $post_data );
|
$success = wp_update_post( $translated );
|
||||||
// If the save failed, see if we can sanity check the main fields and try again
|
// If the save failed, see if we can sanity check the main fields and try again
|
||||||
if ( ! $success && is_callable( array( $wpdb, 'strip_invalid_text_for_column' ) ) ) {
|
if ( ! $success && is_callable( array( $wpdb, 'strip_invalid_text_for_column' ) ) ) {
|
||||||
$fields = array( 'post_title', 'post_content', 'post_excerpt' );
|
$fields = array( 'post_title', 'post_content', 'post_excerpt' );
|
||||||
|
|
||||||
foreach ( $fields as $field ) {
|
foreach ( $fields as $field ) {
|
||||||
if ( isset( $post_data[ $field ] ) ) {
|
if ( isset( $translated[ $field ] ) ) {
|
||||||
$post_data[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $post_data[ $field ] );
|
$translated[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $translated[ $field ] );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
wp_update_post( $post_data );
|
wp_update_post( $translated );
|
||||||
}
|
}
|
||||||
|
|
||||||
// Now that we have an ID we can fix any attachment anchor hrefs
|
// Now that we have an ID we can fix any attachment anchor hrefs
|
||||||
|
|
@ -569,9 +591,9 @@ function bulk_edit_posts( $post_data = null ) {
|
||||||
unset( $post_data['tax_input']['category'] );
|
unset( $post_data['tax_input']['category'] );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$post_data['post_ID'] = $post_ID;
|
||||||
$post_data['post_type'] = $post->post_type;
|
$post_data['post_type'] = $post->post_type;
|
||||||
$post_data['post_mime_type'] = $post->post_mime_type;
|
$post_data['post_mime_type'] = $post->post_mime_type;
|
||||||
$post_data['guid'] = $post->guid;
|
|
||||||
|
|
||||||
foreach ( array( 'comment_status', 'ping_status', 'post_author' ) as $field ) {
|
foreach ( array( 'comment_status', 'ping_status', 'post_author' ) as $field ) {
|
||||||
if ( ! isset( $post_data[ $field ] ) ) {
|
if ( ! isset( $post_data[ $field ] ) ) {
|
||||||
|
|
@ -579,17 +601,15 @@ function bulk_edit_posts( $post_data = null ) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$post_data['ID'] = $post_ID;
|
|
||||||
$post_data['post_ID'] = $post_ID;
|
|
||||||
|
|
||||||
$post_data = _wp_translate_postdata( true, $post_data );
|
$post_data = _wp_translate_postdata( true, $post_data );
|
||||||
if ( is_wp_error( $post_data ) ) {
|
if ( is_wp_error( $post_data ) ) {
|
||||||
$skipped[] = $post_ID;
|
$skipped[] = $post_ID;
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
$post_data = _wp_get_allowed_postdata( $post_data );
|
||||||
|
|
||||||
if ( isset( $post_data['post_format'] ) ) {
|
if ( isset( $shared_post_data['post_format'] ) ) {
|
||||||
set_post_format( $post_ID, $post_data['post_format'] );
|
set_post_format( $post_ID, $shared_post_data['post_format'] );
|
||||||
unset( $post_data['tax_input']['post_format'] );
|
unset( $post_data['tax_input']['post_format'] );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -806,9 +826,10 @@ function wp_write_post() {
|
||||||
if ( is_wp_error( $translated ) ) {
|
if ( is_wp_error( $translated ) ) {
|
||||||
return $translated;
|
return $translated;
|
||||||
}
|
}
|
||||||
|
$translated = _wp_get_allowed_postdata( $translated );
|
||||||
|
|
||||||
// Create the post.
|
// Create the post.
|
||||||
$post_ID = wp_insert_post( $_POST );
|
$post_ID = wp_insert_post( $translated );
|
||||||
if ( is_wp_error( $post_ID ) ) {
|
if ( is_wp_error( $post_ID ) ) {
|
||||||
return $post_ID;
|
return $post_ID;
|
||||||
}
|
}
|
||||||
|
|
@ -1768,6 +1789,7 @@ function wp_create_post_autosave( $post_data ) {
|
||||||
if ( is_wp_error( $post_data ) ) {
|
if ( is_wp_error( $post_data ) ) {
|
||||||
return $post_data;
|
return $post_data;
|
||||||
}
|
}
|
||||||
|
$post_data = _wp_get_allowed_postdata( $post_data );
|
||||||
|
|
||||||
$post_author = get_current_user_id();
|
$post_author = get_current_user_id();
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -200,7 +200,7 @@ switch ( $action ) {
|
||||||
|
|
||||||
// Update the thumbnail filename
|
// Update the thumbnail filename
|
||||||
$newmeta = wp_get_attachment_metadata( $post_id, true );
|
$newmeta = wp_get_attachment_metadata( $post_id, true );
|
||||||
$newmeta['thumb'] = $_POST['thumb'];
|
$newmeta['thumb'] = wp_basename( $_POST['thumb'] );
|
||||||
|
|
||||||
wp_update_attachment_metadata( $post_id, $newmeta );
|
wp_update_attachment_metadata( $post_id, $newmeta );
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -13,7 +13,7 @@
|
||||||
*
|
*
|
||||||
* @global string $wp_version
|
* @global string $wp_version
|
||||||
*/
|
*/
|
||||||
$wp_version = '5.1-alpha-44294';
|
$wp_version = '5.1-alpha-44295';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue