Explicitly save sp values for security
This commit is contained in:
Takumi
31
actions.php
31
actions.php
@@ -94,12 +94,33 @@ function sp_nonce() {
|
||||
|
||||
function sp_save_post( $post_id ) {
|
||||
global $post, $typenow;
|
||||
if ( isset( $_POST['sportspress'] ) ):
|
||||
$sportspress = (array)$_POST['sportspress'];
|
||||
if ( isset( $_POST ) && !empty( $sportspress ) ):
|
||||
if ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) return $post_id;
|
||||
if ( !current_user_can( 'edit_post', $post_id ) ) return $post_id;
|
||||
if ( !isset( $_POST['sportspress_nonce'] ) || ! wp_verify_nonce( $_POST['sportspress_nonce'], plugin_basename( __FILE__ ) ) ) return $post_id;
|
||||
switch ( $_POST['post_type'] ):
|
||||
case ( 'sp_team' ):
|
||||
update_post_meta( $post_id, 'sp_stats', $_POST['sp_stats'] );
|
||||
break;
|
||||
case ( 'sp_event' ):
|
||||
update_post_meta( $post_id, 'sp_stats', $_POST['sp_stats'] );
|
||||
sp_update_post_meta_recursive( $post_id, 'sp_team', $_POST['sp_team'] );
|
||||
sp_update_post_meta_recursive( $post_id, 'sp_player', $_POST['sp_player'] );
|
||||
break;
|
||||
case ( 'sp_player' ):
|
||||
update_post_meta( $post_id, 'sp_stats', $_POST['sp_stats'] );
|
||||
sp_update_post_meta_recursive( $post_id, 'sp_team', $_POST['sp_team'] );
|
||||
break;
|
||||
case ( 'sp_staff' ):
|
||||
sp_update_post_meta_recursive( $post_id, 'sp_team', $_POST['sp_team'] );
|
||||
break;
|
||||
case ( 'sp_table' ):
|
||||
update_post_meta( $post_id, 'sp_stats', $_POST['sp_stats'] );
|
||||
sp_update_post_meta_recursive( $post_id, 'sp_team', $_POST['sp_team'] );
|
||||
break;
|
||||
endswitch;
|
||||
|
||||
/*
|
||||
|
||||
foreach ( $sportspress as $key => $value ):
|
||||
delete_post_meta( $post_id, $key );
|
||||
if ( is_array( $value ) ):
|
||||
@@ -115,8 +136,8 @@ function sp_save_post( $post_id ) {
|
||||
update_post_meta( $post_id, $key, $value );
|
||||
endif;
|
||||
endforeach;
|
||||
endif;
|
||||
endif;
|
||||
|
||||
*/
|
||||
}
|
||||
add_action( 'save_post', 'sp_save_post' );
|
||||
?>
|
||||
@@ -44,7 +44,7 @@ function sp_event_team_meta( $post ) {
|
||||
<?php
|
||||
$args = array(
|
||||
'post_type' => 'sp_team',
|
||||
'name' => 'sportspress[sp_team][]',
|
||||
'name' => 'sp_team[]',
|
||||
'class' => 'sportspress-pages',
|
||||
'show_option_none' => sprintf( __( 'Select %s' ), 'Team' ),
|
||||
'option_none_value' => 0,
|
||||
|
||||
18
helpers.php
18
helpers.php
@@ -170,7 +170,7 @@ if ( !function_exists( 'sp_post_checklist' ) ) {
|
||||
global $post_id;
|
||||
?>
|
||||
<div id="<?php echo $meta; ?>-all" class="posttypediv wp-tab-panel sp-tab-panel" style="display: <?php echo $display; ?>;">
|
||||
<input type="hidden" value="0" name="sportspress[<?php echo $meta; ?>]<?php if ( isset( $index ) ) echo '[' . $index . ']'; ?>[]" />
|
||||
<input type="hidden" value="0" name="<?php echo $meta; ?><?php if ( isset( $index ) ) echo '[' . $index . ']'; ?>[]" />
|
||||
<ul class="categorychecklist form-no-clear">
|
||||
<?php
|
||||
$selected = sp_array_between( (array)get_post_meta( $post_id, $meta, false ), 0, $index );
|
||||
@@ -198,7 +198,7 @@ if ( !function_exists( 'sp_post_checklist' ) ) {
|
||||
?>">
|
||||
<?php echo str_repeat( '<ul><li>', sizeof( $parents ) ); ?>
|
||||
<label class="selectit">
|
||||
<input type="checkbox" value="<?php echo $post->ID; ?>" name="sportspress[<?php echo $meta; ?>]<?php if ( isset( $index ) ) echo '[' . $index . ']'; ?>[]"<?php if ( in_array( $post->ID, $selected ) ) echo ' checked="checked"'; ?>>
|
||||
<input type="checkbox" value="<?php echo $post->ID; ?>" name="<?php echo $meta; ?><?php if ( isset( $index ) ) echo '[' . $index . ']'; ?>[]"<?php if ( in_array( $post->ID, $selected ) ) echo ' checked="checked"'; ?>>
|
||||
<?php
|
||||
$title = $post->post_title;
|
||||
if ( empty( $title ) )
|
||||
@@ -267,7 +267,7 @@ if ( !function_exists( 'sp_stats_table' ) ) {
|
||||
$value = sp_array_value( $values, $j, '' );
|
||||
$placeholder = (int)sp_array_value( sp_array_value( $placeholders, $key, 0), $j, 0 );
|
||||
?>
|
||||
<td><input type="text" name="sportspress[<?php echo $slug; ?>][<?php echo $index; ?>][<?php echo $key; ?>][]" value="<?php echo $value; ?>" placeholder="<?php echo $placeholder; ?>" /></td>
|
||||
<td><input type="text" name="<?php echo $slug; ?>[<?php echo $index; ?>][<?php echo $key; ?>][]" value="<?php echo $value; ?>" placeholder="<?php echo $placeholder; ?>" /></td>
|
||||
<?php endfor; ?>
|
||||
</tr>
|
||||
<?php
|
||||
@@ -281,7 +281,7 @@ if ( !function_exists( 'sp_stats_table' ) ) {
|
||||
<?php for ( $j = 0; $j < sizeof( $columns ) - 1; $j ++ ):
|
||||
$value = sp_array_value( $values, $j, '' );
|
||||
?>
|
||||
<td><input type="text" name="sportspress[<?php echo $slug; ?>][<?php echo $index; ?>][0][]" value="<?php echo $value; ?>" /></td>
|
||||
<td><input type="text" name="<?php echo $slug; ?>[<?php echo $index; ?>][0][]" value="<?php echo $value; ?>" /></td>
|
||||
<?php endfor; ?>
|
||||
</tr>
|
||||
<?php endif; ?>
|
||||
@@ -305,4 +305,14 @@ if ( !function_exists( 'sp_post_adder' ) ) {
|
||||
<?php
|
||||
}
|
||||
}
|
||||
|
||||
if ( !function_exists( 'sp_update_post_meta_recursive' ) ) {
|
||||
function sp_update_post_meta_recursive( $post_id, $name, $array ) {
|
||||
delete_post_meta( $post_id, $name );
|
||||
$values = new RecursiveIteratorIterator( new RecursiveArrayIterator( $array ) );
|
||||
foreach ( $values as $value ):
|
||||
add_post_meta( $post_id, $name, $value, false );
|
||||
endforeach;
|
||||
}
|
||||
}
|
||||
?>
|
||||
@@ -43,7 +43,7 @@ function sp_table_team_meta( $post ) {
|
||||
$args = array(
|
||||
'show_option_all' => sprintf( __( 'All %s', 'sportspress' ), __( 'Leagues', 'sportspress' ) ),
|
||||
'taxonomy' => 'sp_league',
|
||||
'name' => 'sportspress[sp_league]',
|
||||
'name' => 'sp_league',
|
||||
'selected' => $league
|
||||
);
|
||||
sp_dropdown_taxonomies( $args );
|
||||
|
||||
Reference in New Issue
Block a user