Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

move the rest of the data sanitization to the sanitization class, and…

… fix wysiwyg display issues
  • Loading branch information...
commit d580dbafadd3ddd6e4c54d012527e005a67abe12 1 parent daee06a
@jtsternberg jtsternberg authored
View
105 helpers/cmb_Meta_Box_Sanitize.php
@@ -46,18 +46,19 @@ public static function checkbox( $text ) {
/**
* Validate url in a meta value
* @since 1.0.1
- * @param string $meta Meta value
+ * @param string $meta Meta value
+ * @param array $field Field config array
* @return string Empty string or escaped url
*/
- public static function text_url( $meta ) {
+ public static function text_url( $meta, $field ) {
- $protocols = isset( cmb_Meta_Box::$field['protocols'] ) ? (array) cmb_Meta_Box::$field['protocols'] : null;
+ $protocols = isset( $field['protocols'] ) ? (array) $field['protocols'] : null;
if ( is_array( $meta ) ) {
foreach ( $meta as $key => $value ) {
- $meta[ $key ] = $value ? esc_url_raw( $value, $protocols ) : cmb_Meta_Box::$field['default'];
+ $meta[ $key ] = $value ? esc_url_raw( $value, $protocols ) : $field['default'];
}
} else {
- $meta = $meta ? esc_url_raw( $meta, $protocols ) : cmb_Meta_Box::$field['default'];
+ $meta = $meta ? esc_url_raw( $meta, $protocols ) : $field['default'];
}
return $meta;
@@ -76,8 +77,8 @@ public static function oembed( $meta ) {
/**
* Validate email in a meta value
* @since 1.0.1
- * @param string $meta Meta value
- * @return string Empty string or validated email
+ * @param string $meta Meta value
+ * @return string Empty string or validated email
*/
public static function text_email( $meta ) {
@@ -97,8 +98,8 @@ public static function text_email( $meta ) {
/**
* Validate money in a meta value
* @since 1.0.1
- * @param string $meta Meta value
- * @return string Empty string or validated money value
+ * @param string $meta Meta value
+ * @return string Empty string or validated money value
*/
public static function text_money( $meta ) {
if ( is_array( $meta ) ) {
@@ -113,10 +114,20 @@ public static function text_money( $meta ) {
}
/**
+ * Converts text date to timestamp
+ * @since 1.0.2
+ * @param string $meta Meta value
+ * @return string Timestring
+ */
+ public static function text_date_timestamp( $meta ) {
+ return strtotime( $meta );;
+ }
+
+ /**
* Datetime to timestamp
* @since 1.0.1
- * @param string $meta Meta value
- * @return string Timestring
+ * @param string $meta Meta value
+ * @return string Timestring
*/
public static function text_datetime_timestamp( $meta ) {
@@ -135,8 +146,8 @@ public static function text_datetime_timestamp( $meta ) {
/**
* Datetime to imestamp with timezone
* @since 1.0.1
- * @param string $meta Meta value
- * @return string Timestring
+ * @param string $meta Meta value
+ * @return string Timestring
*/
public static function text_datetime_timestamp_timezone( $meta ) {
@@ -166,21 +177,78 @@ public static function text_datetime_timestamp_timezone( $meta ) {
/**
* Sanitize textareas and wysiwyg fields
* @since 1.0.1
- * @param string $meta Meta value
- * @return string Sanitized data
+ * @param string $meta Meta value
+ * @return string Sanitized data
*/
public static function textarea( $meta ) {
return wp_kses_post( $meta );
}
/**
- * Default fallback if field's 'sanitization_cb' is NOT defined, or field type does not have a corresponding validation method
+ * Sanitize code textareas
+ * @since 1.0.2
+ * @param string $meta Meta value
+ * @return string Sanitized data
+ */
+ public static function textarea_code( $meta ) {
+ return htmlspecialchars_decode( stripslashes( $meta ) );
+ }
+
+ /**
+ * Sanitize code textareas
+ * @since 1.0.2
+ * @param string $meta Meta value
+ * @param array $field Field config array
+ * @return string Sanitized data
+ */
+ public static function file( $meta, $field ) {
+ $_id_name = $field['id'] .'_id';
+ // get _id old value
+ $_id_old = cmb_Meta_Box::get_data( $_id_name );
+
+ // If specified NOT to save the file ID
+ if ( isset( $field['save_id'] ) && ! $field['save_id'] ) {
+ $_new_id = '';
+ } else {
+ // otherwise get the file ID
+ $_new_id = isset( $_POST[ $_id_name ] ) ? $_POST[ $_id_name ] : null;
+
+ // If there is no ID saved yet, try to get it from the url
+ if ( isset( $_POST[ $field['id'] ] ) && $_POST[ $field['id'] ] && ! $_new_id ) {
+ $_new_id = cmb_Meta_Box::image_id_from_url( esc_url_raw( $_POST[ $field['id'] ] ) );
+ }
+
+ }
+
+ if ( $_new_id && $_new_id != $_id_old ) {
+ $updated[] = $_id_name;
+ cmb_Meta_Box::update_data( $_new_id, $_id_name );
+ } elseif ( '' == $_new_id && $_id_old ) {
+ $updated[] = $_id_name;
+ cmb_Meta_Box::remove_data( $_id_name, $old );
+ }
+
+ return self::default_sanitization( $meta );
+ }
+
+ /**
+ * Catchall method if field's 'sanitization_cb' is NOT defined, or field type does not have a corresponding validation method
* @since 1.0.0
* @param string $name Non-existent method name
* @param array $arguments All arguments passed to the method
*/
public function __call( $name, $arguments ) {
list( $meta_value, $field ) = $arguments;
+ return self::default_sanitization( $meta_value, $field );
+ }
+
+ /**
+ * Default fallback sanitization method. Applies filters.
+ * @since 1.0.2
+ * @param mixed $meta_value Meta value
+ * @param array $field Field config array
+ */
+ public static function default_sanitization( $meta_value, $field ) {
$object_type = cmb_Meta_Box::get_object_type();
$object_id = cmb_Meta_Box::get_object_id();
@@ -195,11 +263,14 @@ public function __call( $name, $arguments ) {
// we'll fallback to 'sanitize_text_field', or 'wp_kses_post`
switch ( $field['type'] ) {
case 'wysiwyg':
+ // $cb = 'wp_kses';
+ // break;
case 'textarea_small':
$cb = array( 'cmb_Meta_Box_Sanitize', 'textarea' );
-
+ break;
default:
$cb = 'sanitize_text_field';
+ break;
}
// Handle repeatable fields array
View
6 helpers/cmb_Meta_Box_types.php
@@ -245,7 +245,7 @@ public static function esc( $meta_value, $func = '' ) {
// Check if the field has a registered escaping callback
$cb = cmb_Meta_Box::maybe_callback( $field, 'escape_cb' );
if ( false === $cb ) {
- // If requestion NO escaping, return meta value
+ // If requesting NO escaping, return meta value
return $meta_value;
} elseif ( $cb ) {
// Ok, callback is good, let's run it.
@@ -452,7 +452,7 @@ public static function title( $field, $meta, $object_id, $object_type ) {
}
public static function wysiwyg( $field, $meta ) {
- wp_editor( self::esc( $meta, 'esc_textarea' ), $field['id'], isset( $field['options'] ) ? $field['options'] : array() );
+ wp_editor( html_entity_decode( self::esc( $meta, 'esc_html' ) ), $field['id'], isset( $field['options'] ) ? $field['options'] : array() );
echo self::desc( true );
}
@@ -513,7 +513,7 @@ public static function taxonomy_multicheck_inline( $field, $meta ) {
public static function file_list( $field, $meta, $object_id ) {
- // echo '<input class="cmb_upload_file cmb_upload_list" type="hidden" size="45" id="', $field['id'], '" name="', $field['id'], '" value="', self::esc( $meta, 'esc_url' ), '" />';
+ echo '<input class="cmb_upload_file cmb_upload_list" type="hidden" size="45" id="', $field['id'], '" name="', $field['id'], '" value="" />';
echo '<input class="cmb_upload_button button cmb_upload_list" type="button" value="'. __( 'Add or Upload File', 'cmb' ) .'" />', self::desc( true );
echo '<ul id="', $field['id'], '_status" class="cmb_media_status attach_list">';
View
45 init.php
@@ -528,49 +528,8 @@ public static function save_fields( $meta_box, $object_id, $object_type = '' ) {
$new = array_filter( $new );
}
- switch ( $field['type'] ) {
- case 'textarea':
- case 'textarea_small':
- $new = esc_textarea( $new );
- break;
- case 'textarea_code':
- $new = htmlspecialchars_decode( stripslashes( $new ) );
- break;
- case 'text_date_timestamp':
- $new = strtotime( $new );
- break;
- case 'file':
- $_id_name = $field['id'] .'_id';
- // get _id old value
- $_id_old = self::get_data( $_id_name );
-
- // If specified NOT to save the file ID
- if ( isset( $field['save_id'] ) && ! $field['save_id'] ) {
- $_new_id = '';
- } else {
- // otherwise get the file ID
- $_new_id = isset( $_POST[ $_id_name ] ) ? $_POST[ $_id_name ] : null;
-
- // If there is no ID saved yet, try to get it from the url
- if ( isset( $_POST[ $field['id'] ] ) && $_POST[ $field['id'] ] && ! $_new_id ) {
- $_new_id = self::image_id_from_url( esc_url_raw( $_POST[ $field['id'] ] ) );
- }
-
- }
-
- if ( $_new_id && $_new_id != $_id_old ) {
- $updated[] = $_id_name;
- self::update_data( $_new_id, $_id_name );
- } elseif ( '' == $_new_id && $_id_old ) {
- $updated[] = $_id_name;
- self::remove_data( $_id_name, $old );
- }
- break;
- default:
- // Check if this metabox field has a registered validation callback
- $new = self::sanitization_cb( $new );
- break;
- }
+ // Check if this metabox field has a registered validation callback, or perform default sanitization
+ $new = self::sanitization_cb( $new );
if ( $field['multiple'] ) {
Please sign in to comment.
Something went wrong with that request. Please try again.