Created
June 8, 2015 15:34
-
-
Save fklein-lu/99f69de65e74743c14b8 to your computer and use it in GitHub Desktop.
Code for A Guide to Writing Secure Themes - Part 4: Securing Post Meta
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
function wptrt_add_meta_box() { | |
add_meta_box( 'wptrt-sample-meta-box', esc_html__( 'WPTRT Sample Meta Box', 'wptrt' ), 'wptrt_print_meta_box', 'post' ); | |
} | |
add_action( 'add_meta_boxes', 'wptrt_add_meta_box' ); | |
function wptrt_print_meta_box() { | |
wp_nonce_field( 'wptrt-post-meta-box-save', 'wptrt-post-meta-box-nonce' ); | |
?> | |
<p> | |
<input type="checkbox" id="wptrt-individual-checkbox" name="wptrt-individual-checkbox" value="1" <?php checked( get_post_meta( get_the_ID(), 'wptrt-individual-checkbox', true ) ); ?> /> | |
<label for="wptrt-individual-checkbox"><?php echo esc_html__( 'Individual Checkbox', 'wptrt' ); ?></label> | |
</p> | |
<p> | |
<label for="wptrt-individual-text-field"><?php echo esc_html__( 'Individual Text Field', 'wptrt' ); ?></label> | |
<input type="text" id="wptrt-individual-text-field" name="wptrt-individual-text-field" value="<?php echo esc_attr( get_post_meta( get_the_ID(), 'wptrt-individual-text-field', true ) ); ?>" /> | |
</p> | |
<?php $hide_elements = (array) get_post_meta( get_the_ID(), 'wptrt-hide-post-element', true ); ?> | |
<p> | |
<input type="checkbox" id="wptrt-hide-post-date" name="wptrt-hide-post-element[]" value="date" <?php checked( in_array( 'date', $hide_elements, true ) ); ?> /> | |
<label for="wptrt-hide-post-date"><?php echo esc_html__( 'Hide Date', 'wptrt' ); ?></label> | |
</p> | |
<p> | |
<input type="checkbox" id="wptrt-hide-post-author" name="wptrt-hide-post-element[]" value="author" <?php checked( in_array( 'author', $hide_elements, true ) ); ?> /> | |
<label for="wptrt-hide-post-author"><?php echo esc_html__( 'Hide Author', 'wptrt' ); ?></label> | |
</p> | |
<p> | |
<input type="checkbox" id="wptrt-hide-post-categories" name="wptrt-hide-post-element[]" value="categories" <?php checked( in_array( 'categories', $hide_elements, true ) ); ?> /> | |
<label for="wptrt-hide-post-categories"><?php echo esc_html__( 'Hide Categories', 'wptrt' ); ?></label> | |
</p> | |
<?php | |
$favorite_colors = (array) get_post_meta( get_the_ID(), 'wptrt-favorite-color', true ); | |
foreach ( wptrt_get_favorite_color_options() as $option => $text ) : | |
?> | |
<p> | |
<input type="checkbox" id="wptrt-favorite-color-<?php echo esc_attr( $option ); ?>" name="wptrt-favorite-color[]" value="<?php echo esc_attr( $option ); ?>" <?php checked( in_array( $option, $favorite_colors, true ) ); ?> /> | |
<label for="wptrt-favorite-color-<?php echo esc_attr( $option ); ?>"><?php echo esc_html( $text ); ?></label> | |
</p> | |
<?php endforeach; | |
} | |
function wptrt_save_meta_box_data( $post_id ) { | |
if ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) { | |
return; | |
} | |
if ( ! isset( $_POST['wptrt-post-meta-box-nonce'] ) && ! wp_verify_nonce( $_POST['wptrt-post-meta-box-nonce'] ) ) { | |
return; | |
} | |
if ( ! current_user_can( 'edit_post', $post_id ) ) { | |
return; | |
} | |
// Individual checkbox. | |
if ( ! isset( $_POST['wptrt-individual-checkbox'] ) && get_post_meta( $post_id, 'wptrt-individual-checkbox', true ) ) { | |
delete_post_meta( $post_id, 'wptrt-individual-checkbox' ); | |
} else { | |
update_post_meta( $post_id, 'wptrt-individual-checkbox', 1 ); | |
} | |
// Individual text field. | |
if ( empty( $_POST['wptrt-individual-text-field'] ) ) { | |
if ( get_post_meta( $post_id, 'wptrt-individual-text-field', true ) ) { | |
delete_post_meta( $post_id, 'wptrt-individual-text-field' ); | |
} | |
} else { | |
update_post_meta( $post_id, 'wptrt-individual-text-field', sanitize_text_field( $_POST['wptrt-individual-text-field'] ) ); | |
} | |
// Grouped checkboxes | |
if ( ! isset( $_POST['wptrt-hide-post-element'] ) ) { | |
if ( get_post_meta( $post_id, 'wptrt-hide-post-element', true ) ) { | |
delete_post_meta( $post_id, 'wptrt-hide-post-element' ); | |
} | |
} else { | |
$safe_hide_post_element = array(); | |
foreach ( $_POST['wptrt-hide-post-element'] as $element ) { | |
if ( in_array( $element, array( 'date', 'author', 'categories' ), true ) ) { | |
$safe_hide_post_element[] = $element; | |
} | |
} | |
if ( ! empty( $safe_hide_post_element ) ) { | |
update_post_meta( $post_id, 'wptrt-hide-post-element', $safe_hide_post_element ); | |
} | |
} | |
// Favorite color | |
if ( ! isset( $_POST['wptrt-favorite-color'] ) ) { | |
if ( get_post_meta( $post_id, 'wptrt-favorite-color', true ) ) { | |
delete_post_meta( $post_id, 'wptrt-favorite-color' ); | |
} | |
} else { | |
$safe_favorite_color = array(); | |
foreach ( $_POST['wptrt-favorite-color'] as $color ) { | |
if ( array_key_exists( $color, wptrt_get_favorite_color_options() ) ) { | |
$safe_favorite_color[] = $color; | |
} | |
} | |
if ( ! empty( $safe_favorite_color ) ) { | |
update_post_meta( $post_id, 'wptrt-favorite-color', $safe_favorite_color ); | |
} | |
} | |
} | |
add_action( 'save_post', 'wptrt_save_meta_box_data' ); | |
function wptrt_get_favorite_color_options() { | |
return array( | |
'blue' => __( 'Blue', 'wptrt' ), | |
'red' => __( 'Red', 'wptrt' ), | |
'yellow' => __( 'Yellow', 'wptrt' ), | |
); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment