Skip to content

Validate metadata term in calendar AJAX update handler#946

Merged
GaryJones merged 1 commit intodevelopfrom
GaryJones/validate-calendar-metadata-term
Apr 23, 2026
Merged

Validate metadata term in calendar AJAX update handler#946
GaryJones merged 1 commit intodevelopfrom
GaryJones/validate-calendar-metadata-term

Conversation

@GaryJones
Copy link
Copy Markdown
Contributor

@GaryJones GaryJones commented Apr 23, 2026

Summary

EF_Calendar::handle_ajax_update_metadata accepted a metadata_term
value from the request and used it in two ways without checking what
it referred to. For editorial metadata updates it was concatenated
into a post meta key of the form _ef_editorial_meta_{type}_{term};
for taxonomy updates it was passed straight to wp_set_post_terms
as the taxonomy argument. A user with edit_post capability could
therefore write arbitrary post meta keys on a post, or assign terms
from any registered taxonomy — including taxonomies not intended to
be edited from the calendar.

This PR constrains metadata_term before it is used. For the
editorial metadata branch the term must match the slug of an
existing editorial metadata term (via get_editorial_metadata_term_by).
For the taxonomy branch it must be a taxonomy registered on the post's
post type (via get_object_taxonomies). Both inputs are also sanitised
up front so the phpcs:disable block narrows to the one value that is
still passed through to wp_set_post_terms unchanged (arrays of term
IDs/names continue to be accepted there).

A new integration test exercises the three rejection paths: unknown
editorial metadata slug, unknown taxonomy, and empty term.

Test plan

  • composer test:integration -- tests/Integration/CalendarMetadataAjaxTest.php passes in CI
  • Editing an editorial metadata field from the calendar still saves as before
  • Editing a taxonomy field (e.g. categories) from the calendar still saves as before

@GaryJones
fix: validate metadata term in calendar AJAX update handler
28a1ccb 
The handle_ajax_update_metadata handler accepted an unvalidated
metadata_term from the request and used it either as part of a
post meta key or as the taxonomy argument to wp_set_post_terms.
A user with edit_post capability could therefore write arbitrary
post meta keys on a post, or assign terms from any registered
taxonomy — including taxonomies not intended to be edited via
this interface.

Constrain the term before use: for editorial metadata updates
it must match the slug of an existing editorial metadata term,
and for taxonomy updates it must be a taxonomy registered on
the post's post type. Both inputs are also now sanitised up
front so the phpcs suppressions can be tightened to the single
value that still passes through wp_set_post_terms.
@GaryJones GaryJones requested a review from a team as a code owner April 23, 2026 23:39
@GaryJones GaryJones self-assigned this Apr 23, 2026
@GaryJones GaryJones added this to the Next milestone Apr 23, 2026
@GaryJones GaryJones merged commit c10d1bf into develop Apr 23, 2026
10 checks passed
@GaryJones GaryJones deleted the GaryJones/validate-calendar-metadata-term branch April 23, 2026 23:54
@GaryJones GaryJones mentioned this pull request Apr 24, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@GaryJones GaryJones

Labels

type: bug

Projects

None yet

Milestone

0.10.4

Development

Successfully merging this pull request may close these issues.

1 participant

@GaryJones