Code for A Guide to Writing Secure Themes - Part 4: Securing Post Meta
| <?php | |
| function wptrt_add_meta_box() { | |
| add_meta_box( 'wptrt-sample-meta-box', esc_html__( 'WPTRT Sample Meta Box', 'wptrt' ), 'wptrt_print_meta_box', 'post' ); | |
| } | |
| add_action( 'add_meta_boxes', 'wptrt_add_meta_box' ); | |
| function wptrt_print_meta_box() { | |
| wp_nonce_field( 'wptrt-post-meta-box-save', 'wptrt-post-meta-box-nonce' ); | |
| ?> | |
| <p> | |
| <input type="checkbox" id="wptrt-individual-checkbox" name="wptrt-individual-checkbox" value="1" <?php checked( get_post_meta( get_the_ID(), 'wptrt-individual-checkbox', true ) ); ?> /> | |
| <label for="wptrt-individual-checkbox"><?php echo esc_html__( 'Individual Checkbox', 'wptrt' ); ?></label> | |
| </p> | |
| <p> | |
| <label for="wptrt-individual-text-field"><?php echo esc_html__( 'Individual Text Field', 'wptrt' ); ?></label> | |
| <input type="text" id="wptrt-individual-text-field" name="wptrt-individual-text-field" value="<?php echo esc_attr( get_post_meta( get_the_ID(), 'wptrt-individual-text-field', true ) ); ?>" /> | |
| </p> | |
| <?php $hide_elements = (array) get_post_meta( get_the_ID(), 'wptrt-hide-post-element', true ); ?> | |
| <p> | |
| <input type="checkbox" id="wptrt-hide-post-date" name="wptrt-hide-post-element[]" value="date" <?php checked( in_array( 'date', $hide_elements, true ) ); ?> /> | |
| <label for="wptrt-hide-post-date"><?php echo esc_html__( 'Hide Date', 'wptrt' ); ?></label> | |
| </p> | |
| <p> | |
| <input type="checkbox" id="wptrt-hide-post-author" name="wptrt-hide-post-element[]" value="author" <?php checked( in_array( 'author', $hide_elements, true ) ); ?> /> | |
| <label for="wptrt-hide-post-author"><?php echo esc_html__( 'Hide Author', 'wptrt' ); ?></label> | |
| </p> | |
| <p> | |
| <input type="checkbox" id="wptrt-hide-post-categories" name="wptrt-hide-post-element[]" value="categories" <?php checked( in_array( 'categories', $hide_elements, true ) ); ?> /> | |
| <label for="wptrt-hide-post-categories"><?php echo esc_html__( 'Hide Categories', 'wptrt' ); ?></label> | |
| </p> | |
| <?php | |
| $favorite_colors = (array) get_post_meta( get_the_ID(), 'wptrt-favorite-color', true ); | |
| foreach ( wptrt_get_favorite_color_options() as $option => $text ) : | |
| ?> | |
| <p> | |
| <input type="checkbox" id="wptrt-favorite-color-<?php echo esc_attr( $option ); ?>" name="wptrt-favorite-color[]" value="<?php echo esc_attr( $option ); ?>" <?php checked( in_array( $option, $favorite_colors, true ) ); ?> /> | |
| <label for="wptrt-favorite-color-<?php echo esc_attr( $option ); ?>"><?php echo esc_html( $text ); ?></label> | |
| </p> | |
| <?php endforeach; | |
| } | |
| function wptrt_save_meta_box_data( $post_id ) { | |
| if ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) { | |
| return; | |
| } | |
| if ( ! isset( $_POST['wptrt-post-meta-box-nonce'] ) && ! wp_verify_nonce( $_POST['wptrt-post-meta-box-nonce'] ) ) { | |
| return; | |
| } | |
| if ( ! current_user_can( 'edit_post', $post_id ) ) { | |
| return; | |
| } | |
| // Individual checkbox. | |
| if ( ! isset( $_POST['wptrt-individual-checkbox'] ) && get_post_meta( $post_id, 'wptrt-individual-checkbox', true ) ) { | |
| delete_post_meta( $post_id, 'wptrt-individual-checkbox' ); | |
| } else { | |
| update_post_meta( $post_id, 'wptrt-individual-checkbox', 1 ); | |
| } | |
| // Individual text field. | |
| if ( empty( $_POST['wptrt-individual-text-field'] ) ) { | |
| if ( get_post_meta( $post_id, 'wptrt-individual-text-field', true ) ) { | |
| delete_post_meta( $post_id, 'wptrt-individual-text-field' ); | |
| } | |
| } else { | |
| update_post_meta( $post_id, 'wptrt-individual-text-field', sanitize_text_field( $_POST['wptrt-individual-text-field'] ) ); | |
| } | |
| // Grouped checkboxes | |
| if ( ! isset( $_POST['wptrt-hide-post-element'] ) ) { | |
| if ( get_post_meta( $post_id, 'wptrt-hide-post-element', true ) ) { | |
| delete_post_meta( $post_id, 'wptrt-hide-post-element' ); | |
| } | |
| } else { | |
| $safe_hide_post_element = array(); | |
| foreach ( $_POST['wptrt-hide-post-element'] as $element ) { | |
| if ( in_array( $element, array( 'date', 'author', 'categories' ), true ) ) { | |
| $safe_hide_post_element[] = $element; | |
| } | |
| } | |
| if ( ! empty( $safe_hide_post_element ) ) { | |
| update_post_meta( $post_id, 'wptrt-hide-post-element', $safe_hide_post_element ); | |
| } | |
| } | |
| // Favorite color | |
| if ( ! isset( $_POST['wptrt-favorite-color'] ) ) { | |
| if ( get_post_meta( $post_id, 'wptrt-favorite-color', true ) ) { | |
| delete_post_meta( $post_id, 'wptrt-favorite-color' ); | |
| } | |
| } else { | |
| $safe_favorite_color = array(); | |
| foreach ( $_POST['wptrt-favorite-color'] as $color ) { | |
| if ( array_key_exists( $color, wptrt_get_favorite_color_options() ) ) { | |
| $safe_favorite_color[] = $color; | |
| } | |
| } | |
| if ( ! empty( $safe_favorite_color ) ) { | |
| update_post_meta( $post_id, 'wptrt-favorite-color', $safe_favorite_color ); | |
| } | |
| } | |
| } | |
| add_action( 'save_post', 'wptrt_save_meta_box_data' ); | |
| function wptrt_get_favorite_color_options() { | |
| return array( | |
| 'blue' => __( 'Blue', 'wptrt' ), | |
| 'red' => __( 'Red', 'wptrt' ), | |
| 'yellow' => __( 'Yellow', 'wptrt' ), | |
| ); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment