Code for A Guide to Writing Secure Themes - Part 4: Securing Post Meta
<?php | |
function wptrt_add_meta_box() { | |
add_meta_box( 'wptrt-sample-meta-box', esc_html__( 'WPTRT Sample Meta Box', 'wptrt' ), 'wptrt_print_meta_box', 'post' ); | |
} | |
add_action( 'add_meta_boxes', 'wptrt_add_meta_box' ); | |
function wptrt_print_meta_box() { | |
wp_nonce_field( 'wptrt-post-meta-box-save', 'wptrt-post-meta-box-nonce' ); | |
?> | |
<p> | |
<input type="checkbox" id="wptrt-individual-checkbox" name="wptrt-individual-checkbox" value="1" <?php checked( get_post_meta( get_the_ID(), 'wptrt-individual-checkbox', true ) ); ?> /> | |
<label for="wptrt-individual-checkbox"><?php echo esc_html__( 'Individual Checkbox', 'wptrt' ); ?></label> | |
</p> | |
<p> | |
<label for="wptrt-individual-text-field"><?php echo esc_html__( 'Individual Text Field', 'wptrt' ); ?></label> | |
<input type="text" id="wptrt-individual-text-field" name="wptrt-individual-text-field" value="<?php echo esc_attr( get_post_meta( get_the_ID(), 'wptrt-individual-text-field', true ) ); ?>" /> | |
</p> | |
<?php $hide_elements = (array) get_post_meta( get_the_ID(), 'wptrt-hide-post-element', true ); ?> | |
<p> | |
<input type="checkbox" id="wptrt-hide-post-date" name="wptrt-hide-post-element[]" value="date" <?php checked( in_array( 'date', $hide_elements, true ) ); ?> /> | |
<label for="wptrt-hide-post-date"><?php echo esc_html__( 'Hide Date', 'wptrt' ); ?></label> | |
</p> | |
<p> | |
<input type="checkbox" id="wptrt-hide-post-author" name="wptrt-hide-post-element[]" value="author" <?php checked( in_array( 'author', $hide_elements, true ) ); ?> /> | |
<label for="wptrt-hide-post-author"><?php echo esc_html__( 'Hide Author', 'wptrt' ); ?></label> | |
</p> | |
<p> | |
<input type="checkbox" id="wptrt-hide-post-categories" name="wptrt-hide-post-element[]" value="categories" <?php checked( in_array( 'categories', $hide_elements, true ) ); ?> /> | |
<label for="wptrt-hide-post-categories"><?php echo esc_html__( 'Hide Categories', 'wptrt' ); ?></label> | |
</p> | |
<?php | |
$favorite_colors = (array) get_post_meta( get_the_ID(), 'wptrt-favorite-color', true ); | |
foreach ( wptrt_get_favorite_color_options() as $option => $text ) : | |
?> | |
<p> | |
<input type="checkbox" id="wptrt-favorite-color-<?php echo esc_attr( $option ); ?>" name="wptrt-favorite-color[]" value="<?php echo esc_attr( $option ); ?>" <?php checked( in_array( $option, $favorite_colors, true ) ); ?> /> | |
<label for="wptrt-favorite-color-<?php echo esc_attr( $option ); ?>"><?php echo esc_html( $text ); ?></label> | |
</p> | |
<?php endforeach; | |
} | |
function wptrt_save_meta_box_data( $post_id ) { | |
if ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) { | |
return; | |
} | |
if ( ! isset( $_POST['wptrt-post-meta-box-nonce'] ) && ! wp_verify_nonce( $_POST['wptrt-post-meta-box-nonce'] ) ) { | |
return; | |
} | |
if ( ! current_user_can( 'edit_post', $post_id ) ) { | |
return; | |
} | |
// Individual checkbox. | |
if ( ! isset( $_POST['wptrt-individual-checkbox'] ) && get_post_meta( $post_id, 'wptrt-individual-checkbox', true ) ) { | |
delete_post_meta( $post_id, 'wptrt-individual-checkbox' ); | |
} else { | |
update_post_meta( $post_id, 'wptrt-individual-checkbox', 1 ); | |
} | |
// Individual text field. | |
if ( empty( $_POST['wptrt-individual-text-field'] ) ) { | |
if ( get_post_meta( $post_id, 'wptrt-individual-text-field', true ) ) { | |
delete_post_meta( $post_id, 'wptrt-individual-text-field' ); | |
} | |
} else { | |
update_post_meta( $post_id, 'wptrt-individual-text-field', sanitize_text_field( $_POST['wptrt-individual-text-field'] ) ); | |
} | |
// Grouped checkboxes | |
if ( ! isset( $_POST['wptrt-hide-post-element'] ) ) { | |
if ( get_post_meta( $post_id, 'wptrt-hide-post-element', true ) ) { | |
delete_post_meta( $post_id, 'wptrt-hide-post-element' ); | |
} | |
} else { | |
$safe_hide_post_element = array(); | |
foreach ( $_POST['wptrt-hide-post-element'] as $element ) { | |
if ( in_array( $element, array( 'date', 'author', 'categories' ), true ) ) { | |
$safe_hide_post_element[] = $element; | |
} | |
} | |
if ( ! empty( $safe_hide_post_element ) ) { | |
update_post_meta( $post_id, 'wptrt-hide-post-element', $safe_hide_post_element ); | |
} | |
} | |
// Favorite color | |
if ( ! isset( $_POST['wptrt-favorite-color'] ) ) { | |
if ( get_post_meta( $post_id, 'wptrt-favorite-color', true ) ) { | |
delete_post_meta( $post_id, 'wptrt-favorite-color' ); | |
} | |
} else { | |
$safe_favorite_color = array(); | |
foreach ( $_POST['wptrt-favorite-color'] as $color ) { | |
if ( array_key_exists( $color, wptrt_get_favorite_color_options() ) ) { | |
$safe_favorite_color[] = $color; | |
} | |
} | |
if ( ! empty( $safe_favorite_color ) ) { | |
update_post_meta( $post_id, 'wptrt-favorite-color', $safe_favorite_color ); | |
} | |
} | |
} | |
add_action( 'save_post', 'wptrt_save_meta_box_data' ); | |
function wptrt_get_favorite_color_options() { | |
return array( | |
'blue' => __( 'Blue', 'wptrt' ), | |
'red' => __( 'Red', 'wptrt' ), | |
'yellow' => __( 'Yellow', 'wptrt' ), | |
); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment