Make WordPress Core


Ignore:
Timestamp:
10/24/2017 09:04:50 PM (7 years ago)
Author:
joehoyle
Message:

REST API: Don’t remove unregistered properties from objects in schema.

In r41727 the ability to sanitise and validate objects from JSON schema was added, with a whitelist approach. It was decided we should pass through all non-registered properties to reflect the behaviour of the root object in register_rest_route. To prevent arbitrary extra data via setting objects, we force additionalProperties to false in the settings endpoint.

See #38583.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-controller.php

    r41758 r42000  
    546546            }
    547547
    548             foreach ( array( 'type', 'format', 'enum', 'items', 'properties' ) as $schema_prop ) {
     548            foreach ( array( 'type', 'format', 'enum', 'items', 'properties', 'additionalProperties' ) as $schema_prop ) {
    549549                if ( isset( $params[ $schema_prop ] ) ) {
    550550                    $endpoint_args[ $field_id ][ $schema_prop ] = $params[ $schema_prop ];
Note: See TracChangeset for help on using the changeset viewer.