Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Code for A Guide to Writing Secure Themes - Part 4: Securing Post Meta
<?php
function wptrt_add_meta_box() {
add_meta_box( 'wptrt-sample-meta-box', esc_html__( 'WPTRT Sample Meta Box', 'wptrt' ), 'wptrt_print_meta_box', 'post' );
}
add_action( 'add_meta_boxes', 'wptrt_add_meta_box' );
function wptrt_print_meta_box() {
wp_nonce_field( 'wptrt-post-meta-box-save', 'wptrt-post-meta-box-nonce' );
?>
<p>
<input type="checkbox" id="wptrt-individual-checkbox" name="wptrt-individual-checkbox" value="1" <?php checked( get_post_meta( get_the_ID(), 'wptrt-individual-checkbox', true ) ); ?> />
<label for="wptrt-individual-checkbox"><?php echo esc_html__( 'Individual Checkbox', 'wptrt' ); ?></label>
</p>
<p>
<label for="wptrt-individual-text-field"><?php echo esc_html__( 'Individual Text Field', 'wptrt' ); ?></label>
<input type="text" id="wptrt-individual-text-field" name="wptrt-individual-text-field" value="<?php echo esc_attr( get_post_meta( get_the_ID(), 'wptrt-individual-text-field', true ) ); ?>" />
</p>
<?php $hide_elements = (array) get_post_meta( get_the_ID(), 'wptrt-hide-post-element', true ); ?>
<p>
<input type="checkbox" id="wptrt-hide-post-date" name="wptrt-hide-post-element[]" value="date" <?php checked( in_array( 'date', $hide_elements, true ) ); ?> />
<label for="wptrt-hide-post-date"><?php echo esc_html__( 'Hide Date', 'wptrt' ); ?></label>
</p>
<p>
<input type="checkbox" id="wptrt-hide-post-author" name="wptrt-hide-post-element[]" value="author" <?php checked( in_array( 'author', $hide_elements, true ) ); ?> />
<label for="wptrt-hide-post-author"><?php echo esc_html__( 'Hide Author', 'wptrt' ); ?></label>
</p>
<p>
<input type="checkbox" id="wptrt-hide-post-categories" name="wptrt-hide-post-element[]" value="categories" <?php checked( in_array( 'categories', $hide_elements, true ) ); ?> />
<label for="wptrt-hide-post-categories"><?php echo esc_html__( 'Hide Categories', 'wptrt' ); ?></label>
</p>
<?php
$favorite_colors = (array) get_post_meta( get_the_ID(), 'wptrt-favorite-color', true );
foreach ( wptrt_get_favorite_color_options() as $option => $text ) :
?>
<p>
<input type="checkbox" id="wptrt-favorite-color-<?php echo esc_attr( $option ); ?>" name="wptrt-favorite-color[]" value="<?php echo esc_attr( $option ); ?>" <?php checked( in_array( $option, $favorite_colors, true ) ); ?> />
<label for="wptrt-favorite-color-<?php echo esc_attr( $option ); ?>"><?php echo esc_html( $text ); ?></label>
</p>
<?php endforeach;
}
function wptrt_save_meta_box_data( $post_id ) {
if ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) {
return;
}
if ( ! isset( $_POST['wptrt-post-meta-box-nonce'] ) && ! wp_verify_nonce( $_POST['wptrt-post-meta-box-nonce'] ) ) {
return;
}
if ( ! current_user_can( 'edit_post', $post_id ) ) {
return;
}
// Individual checkbox.
if ( ! isset( $_POST['wptrt-individual-checkbox'] ) && get_post_meta( $post_id, 'wptrt-individual-checkbox', true ) ) {
delete_post_meta( $post_id, 'wptrt-individual-checkbox' );
} else {
update_post_meta( $post_id, 'wptrt-individual-checkbox', 1 );
}
// Individual text field.
if ( empty( $_POST['wptrt-individual-text-field'] ) ) {
if ( get_post_meta( $post_id, 'wptrt-individual-text-field', true ) ) {
delete_post_meta( $post_id, 'wptrt-individual-text-field' );
}
} else {
update_post_meta( $post_id, 'wptrt-individual-text-field', sanitize_text_field( $_POST['wptrt-individual-text-field'] ) );
}
// Grouped checkboxes
if ( ! isset( $_POST['wptrt-hide-post-element'] ) ) {
if ( get_post_meta( $post_id, 'wptrt-hide-post-element', true ) ) {
delete_post_meta( $post_id, 'wptrt-hide-post-element' );
}
} else {
$safe_hide_post_element = array();
foreach ( $_POST['wptrt-hide-post-element'] as $element ) {
if ( in_array( $element, array( 'date', 'author', 'categories' ), true ) ) {
$safe_hide_post_element[] = $element;
}
}
if ( ! empty( $safe_hide_post_element ) ) {
update_post_meta( $post_id, 'wptrt-hide-post-element', $safe_hide_post_element );
}
}
// Favorite color
if ( ! isset( $_POST['wptrt-favorite-color'] ) ) {
if ( get_post_meta( $post_id, 'wptrt-favorite-color', true ) ) {
delete_post_meta( $post_id, 'wptrt-favorite-color' );
}
} else {
$safe_favorite_color = array();
foreach ( $_POST['wptrt-favorite-color'] as $color ) {
if ( array_key_exists( $color, wptrt_get_favorite_color_options() ) ) {
$safe_favorite_color[] = $color;
}
}
if ( ! empty( $safe_favorite_color ) ) {
update_post_meta( $post_id, 'wptrt-favorite-color', $safe_favorite_color );
}
}
}
add_action( 'save_post', 'wptrt_save_meta_box_data' );
function wptrt_get_favorite_color_options() {
return array(
'blue' => __( 'Blue', 'wptrt' ),
'red' => __( 'Red', 'wptrt' ),
'yellow' => __( 'Yellow', 'wptrt' ),
);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment