The latest version 5.1.0 of Meta Box has been just released today! This version implements a better update system that was introduced in Meta Box 5.0.0 and provides a mechanism for sanitizing user input to ensure it's safe before saving to the database. Let's see the changes in details below.
Update System
The previous version shows the update notification for all premium extensions on the website if you have any. There is no update notification at all if you don't have any premium extension. In this version, we improve this system to make it better and more comfortable for users.
First, developers can define a license key via a constant META_BOX_KEY
. You can put this line in the wp-config.php
on your client websites if you don't want them to have access to the license:
define( 'META_BOX_KEY', 'Your license key here' );
It's also useful if you manage a multi-site and you don't want to enter Meta Box license key for each sub-site.
In this version, the license notification is now dismissible. Users can just click the close button to hide the message (previously, they couldn't). It's useful when you use a theme on ThemeForest or a plugin that integrates Meta Box where you don't have a license key from MetaBox.io.
However, we still recommend users to buy a license from us to get automatic updates and premium supports. If you use a theme or a plugin that integrates Meta Box, then you depend on the author to update the extensions. Sometimes the process is slow and might be a security risk if the update is critical.
Besides, Meta Box also checks for updates for all extensions even if you don't enter a license key. In that case, you won't be able to update them although you still can see the changelog. That's useful when you want to see what's changed and decide to update or not. Of course, we always recommend updating the extensions to keep them compatible with Meta Box and other extensions.
Sanitization
Based on a user request (thank Rao and David), we have implemented a sanitization mechanism for all fields in this version. This ensures user input is safe to save to the database. So there won't be something like inserting scripts to the database that might cause XSS attack on your website.
The sanitization works as below:
- It's automatically applied for all built-in field types. For some fields, Meta Box also validates the submitted value to ensure it’s valid.
- The sanitization is applied for both single and cloneable fields. With cloneable fields, the sanitization is applied for each clone value.
- Developers can implement their sanitization via
sanitize_callback
parameter. - Or they can bypass the sanitization by setting
sanitize_callback
tonone
.
We tried hard to keep the backward compatibility. So your existing websites still work. But there might be some situations that you allowed users to enter arbitrary HTML (like Google Analytics tracking code in a textarea
field). And in that case, please update your code a little bit and set sanitize_callback
to none
. It will bypass the sanitization and everything will be okay.
Anyway, we recommend you to put a custom sanitize callback for those fields to make it safe. Or simplify the input, like instead of letting users enter Google Analytics code, let them enter only the Google Analytics property ID, which is a simple text.
For details and code example about the sanitization, please see the documentation.
Bug Fixes
This version also fixes some bugs in Meta Box:
- Fatal error with
RWMB_About::redirect()
, props @DevIntact. - Ensure change event fires when editors change. This fix is for MB Blocks extension where updating a
wysiwyg
field doesn't triggerchange
event. - Fix
rwmb_{$field_id}_choice_label
not working for cloneable fields. - Add a missing dependency (
underscore
) for date picker JavaScript to make the field work in the front end. - Fix un-indexed notice for
key_value
field. - Align uploaded videos for
video
field.
If you haven't update Meta Box, please update now. If you have any problem with this version, please let us know in the support forum or Github.