Ticket #43208: 43208.4.diff

src/wp-admin/options.php

@@ -220 +220 @@
                                 }
                                 $value = wp_unslash( $value );
                         }
-                        update_option( $option, $value );
+
+                        $validity = validate_option( $option, $value );
+
+                        if ( is_wp_error( $validity ) ) {
+                                foreach ( $validity->errors as $code => $messages ) {
+                                        foreach ( $messages as $message ) {
+                                                add_settings_error( $option, $code, $message );
+                                        }
+                                }
+                        } else {
+                                update_option( $option, $value );
+                        }
                 }
 
                 /*

src/wp-includes/class-wp-customize-manager.php

@@ -2300 +2300 @@
                                 $validity = $setting->validate( $unsanitized_value );
                         }
                         if ( ! is_wp_error( $validity ) ) {
+                                // Use the regular option validation if the Customize setting is an option.
+                                $validity = new WP_Error();
+
+                                if ( 'option' === $setting->type ) {
+                                        $option_validity = validate_option( $setting->id, $value );
+                                        if ( is_wp_error( $option_validity ) ) {
+                                                $validity = $option_validity;
+                                        }
+                                }
+
                                 /** This filter is documented in wp-includes/class-wp-customize-setting.php */
-                                $late_validity = apply_filters( "customize_validate_{$setting->id}", new WP_Error(), $unsanitized_value, $setting );
+                                $late_validity = apply_filters( "customize_validate_{$setting->id}", $validity, $unsanitized_value, $setting );
                                 if ( ! empty( $late_validity->errors ) ) {
                                         $validity = $late_validity;
                                 }

src/wp-includes/class-wp-customize-setting.php

@@ -580 +580 @@
 
                 $validity = new WP_Error();
 
+                // Use the regular option validation if the Customize setting is an option.
+                if ( 'option' === $this->type ) {
+                        $option_validity = validate_option( $this->id, $value );
+                        if ( is_wp_error( $option_validity ) ) {
+                                $validity = $option_validity;
+                        }
+                }
+
                 /**
                  * Validates a Customize setting value.
                  *

src/wp-includes/formatting.php

@@ -4313 +4313 @@
         return preg_replace( '|^(https?:)?//[^/]+(/?.*)|i', '$2', $link );
 }
 
+/**
+ * Validates an option value based on the nature of the option.
+ *
+ * The {@see 'validate_option_$option'} filter should be used to add errors
+ * to the `WP_Error` object passed-through.
+ *
+ * @since 5.0.0
+ *
+ * @param string $option The name of the option.
+ * @param string $value  The unsanitized value.
+ * @return true|WP_Error True if the input was validated, otherwise WP_Error.
+ */
+function validate_option( $option, $value ) {
+        $validity = new WP_Error();
+
+        /**
+         * Validates an option value.
+         *
+         * Plugins should amend the `$validity` object via its `WP_Error::add()` method.
+         *
+         * The dynamic portion of the hook name, `$option`, refers to the option name.
+         *
+         * @since 5.0.0
+         *
+         * @param WP_Error $validity Filtered from `true` to `WP_Error` when invalid.
+         * @param mixed    $value    The option value.
+         */
+        $validity = apply_filters( "validate_option_{$option}", $validity, $value );
+
+        if ( is_wp_error( $validity ) && empty( $validity->errors ) ) {
+                $validity = true;
+        }
+
+        return $validity;
+}
+
 /**
  * Sanitises various option values based on the nature of the option.
  *

src/wp-includes/option.php

@@ -2032 +2032 @@
  *
  * @since 2.7.0
  * @since 4.7.0 `$args` can be passed to set flags on the setting, similar to `register_meta()`.
+ * @since 5.0.0 Introduced the `$validate_callback` argument.
  *
  * @global array $new_whitelist_options
  * @global array $wp_registered_settings
@@ -2045 +2046 @@
  *     @type string   $type              The type of data associated with this setting.
  *                                       Valid values are 'string', 'boolean', 'integer', and 'number'.
  *     @type string   $description       A description of the data attached to this setting.
+ *     @type callable $validate_callback A callback that checks validity of the option's value.
  *     @type callable $sanitize_callback A callback function that sanitizes the option's value.
  *     @type bool     $show_in_rest      Whether data associated with this setting should be included in the REST API.
  *     @type mixed    $default           Default value when calling `get_option()`.
@@ -2057 +2059 @@
                 'type'              => 'string',
                 'group'             => $option_group,
                 'description'       => '',
+                'validate_callback' => null,
                 'sanitize_callback' => null,
                 'show_in_rest'      => false,
         );
@@ -2110 +2113 @@
         }
 
         $new_whitelist_options[ $option_group ][] = $option_name;
+        if ( ! empty( $args['validate_callback'] ) ) {
+                add_filter( "validate_option_{$option_name}", $args['validate_callback'], 10, 3 );
+        }
         if ( ! empty( $args['sanitize_callback'] ) ) {
                 add_filter( "sanitize_option_{$option_name}", $args['sanitize_callback'] );
         }
@@ -2177 +2183 @@
         }
 
         if ( isset( $wp_registered_settings[ $option_name ] ) ) {
+                // Remove the validate callback if one was set during registration.
+                if ( ! empty( $wp_registered_settings[ $option_name ]['validate_callback'] ) ) {
+                        remove_filter( "validate_option_{$option_name}", $wp_registered_settings[ $option_name ]['validate_callback'], 10 );
+                }
+
                 // Remove the sanitize callback if one was set during registration.
                 if ( ! empty( $wp_registered_settings[ $option_name ]['sanitize_callback'] ) ) {
                         remove_filter( "sanitize_option_{$option_name}", $wp_registered_settings[ $option_name ]['sanitize_callback'] );

src/wp-includes/rest-api/endpoints/class-wp-rest-settings-controller.php

@@ -193 +193 @@
 
                                 delete_option( $args['option_name'] );
                         } else {
+                                $validity = validate_option( $args['option_name'], $request[ $name ] );
+                                if ( is_wp_error( $validity ) ) {
+                                        foreach ( $validity->errors as $code => $messages ) {
+                                                $validity->add_data( array( 'status' => 400 ), $code );
+                                        }
+
+                                        return $validity;
+                                }
+
                                 update_option( $args['option_name'], $request[ $name ] );
                         }
                 }