From 3658bca7fde4ca8c01ac9f85928fda7fa60bbd85 Mon Sep 17 00:00:00 2001 From: Pascal Birchler Date: Sat, 2 Mar 2024 14:13:09 +0000 Subject: [PATCH] Editor: do not expose protected post meta fields in block bindings. Ignores meta keys which are considered protected or not registered to be shown in the REST API. Adds tests. Props santosguillamot, swissspidy, gziolo, xknown, peterwilsoncc. Fixes #60651. Built from https://develop.svn.wordpress.org/trunk@57754 git-svn-id: http://core.svn.wordpress.org/trunk@57255 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/block-bindings/post-meta.php | 13 +++++++++++++ wp-includes/version.php | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/wp-includes/block-bindings/post-meta.php b/wp-includes/block-bindings/post-meta.php index 5aa6bf048d..75062f5ca3 100644 --- a/wp-includes/block-bindings/post-meta.php +++ b/wp-includes/block-bindings/post-meta.php @@ -34,6 +34,19 @@ function _block_bindings_post_meta_get_value( array $source_args, $block_instanc return null; } + // Check if the meta field is protected. + if ( is_protected_meta( $source_args['key'], 'post' ) ) { + return null; + } + + // Check if the meta field is registered to be shown in REST. + $meta_keys = get_registered_meta_keys( 'post', $block_instance->context['postType'] ); + // Add fields registered for all subtypes. + $meta_keys = array_merge( $meta_keys, get_registered_meta_keys( 'post', '' ) ); + if ( empty( $meta_keys[ $source_args['key'] ]['show_in_rest'] ) ) { + return null; + } + return get_post_meta( $post_id, $source_args['key'], true ); } diff --git a/wp-includes/version.php b/wp-includes/version.php index b553ed6877..f26dc4764e 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.5-beta3-57753'; +$wp_version = '6.5-beta3-57754'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.