Changeset 43740

Timestamp:

10/17/2018 08:09:33 PM (6 years ago)

Author:

kadamwhite

Message:

REST API: Slash existing meta values when comparing with incoming meta upates.

When comparing the old and new values for a meta key being set, ensure both values are sanitized using the same logic so that equal values match.

props boonebgorges, dcavins, MattGeri, pilou69, TimothyBlynJacobs.
Fixes #42069.

Location:

branches/5.0

Files:

• src/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php (modified) (1 diff)
• tests/phpunit/tests/rest-api/rest-post-meta-fields.php (modified) (3 diffs)

branches/5.0/src/wp-includes/rest-api/fields/class-wp-rest-meta-fields.php

@@ -296 +296 @@
         }
 
-        $meta_key   = wp_slash( $meta_key );
-        $meta_value = wp_slash( $value );
-
         // Do the exact same check for a duplicate value as in update_metadata() to avoid update_metadata() returning false.
         $old_value = get_metadata( $meta_type, $object_id, $meta_key );
+        $subtype   = get_object_subtype( $meta_type, $object_id );
 
         if ( 1 === count( $old_value ) ) {
-            if ( $old_value[0] === $meta_value ) {
+            if ( (string) sanitize_meta( $meta_key, $value, $meta_type, $subtype ) === $old_value[0] ) {
                 return true;
             }
         }
 
-        if ( ! update_metadata( $meta_type, $object_id, $meta_key, $meta_value ) ) {
+        if ( ! update_metadata( $meta_type, $object_id, wp_slash( $meta_key ), wp_slash( $value ) ) ) {
             return new WP_Error(
                 'rest_meta_database_error',

branches/5.0/tests/phpunit/tests/rest-api/rest-post-meta-fields.php

@@ -21 +21 @@
         ) );
 
-        self::$wp_meta_keys_saved = $GLOBALS['wp_meta_keys'];
+        self::$wp_meta_keys_saved = isset( $GLOBALS['wp_meta_keys'] ) ? $GLOBALS['wp_meta_keys'] : array();
         self::$post_id = $factory->post->create();
         self::$cpt_post_id        = $factory->post->create( array( 'post_type' => 'cpt' ) );
@@ -130 +130 @@
             'auth_callback'  => '__return_false',
         ) );
+
+        register_meta(
+            'post',
+            'test_boolean_update',
+            array(
+                'single'            => true,
+                'type'              => 'boolean',
+                'sanitize_callback' => 'absint',
+                'show_in_rest'      => true,
+            )
+        );
+
+        register_meta(
+            'post',
+            'test_textured_text_update',
+            array(
+                'single'            => true,
+                'type'              => 'string',
+                'sanitize_callback' => 'sanitize_text_field',
+                'show_in_rest'      => true,
+            )
+        );
+
+        register_meta(
+            'post',
+            'test_json_encoded',
+            array(
+                'single'       => true,
+                'type'         => 'string',
+                'show_in_rest' => true,
+            )
+        );
+
+        register_meta(
+            'post',
+            'test\'slashed\'key',
+            array(
+                'single'       => true,
+                'type'         => 'string',
+                'show_in_rest' => true,
+            )
+        );
 
         /** @var WP_REST_Server $wp_rest_server */
@@ -1163 +1205 @@
 
     /**
+     * @ticket 42069
+     * @dataProvider data_update_value_return_success_with_same_value
+     */
+    public function test_update_value_return_success_with_same_value( $meta_key, $meta_value ) {
+        add_post_meta( self::$post_id, $meta_key, $meta_value );
+
+        $this->grant_write_permission();
+
+        $data = array(
+            'meta' => array(
+                $meta_key => $meta_value,
+            ),
+        );
+
+        $request = new WP_REST_Request( 'POST', sprintf( '/wp/v2/posts/%d', self::$post_id ) );
+        $request->set_body_params( $data );
+
+        $response = rest_get_server()->dispatch( $request );
+
+        $this->assertEquals( 200, $response->get_status() );
+    }
+
+    public function data_update_value_return_success_with_same_value() {
+        return array(
+            array( 'test_boolean_update', false ),
+            array( 'test_boolean_update', true ),
+            array( 'test_textured_text_update', 'She said, "What about the > 10,000 penguins in the kitchen?"' ),
+            array( 'test_textured_text_update', "He's about to do something rash..." ),
+            array( 'test_json_encoded', json_encode( array( 'foo' => 'bar' ) ) ),
+            array( 'test\'slashed\'key', 'Hello' ),
+        );
+    }
+
+    /**
+     * @ticket 42069
+     */
+    public function test_slashed_meta_key() {
+
+        add_post_meta( self::$post_id, 'test\'slashed\'key', 'Hello' );
+
+        $request = new WP_REST_Request( 'GET', sprintf( '/wp/v2/posts/%d', self::$post_id ) );
+
+        $response = rest_get_server()->dispatch( $request );
+        $data     = $response->get_data();
+
+        $this->assertArrayHasKey( 'test\'slashed\'key', $data['meta'] );
+        $this->assertEquals( 'Hello', $data['meta']['test\'slashed\'key'] );
+    }
+
+    /**
      * Internal function used to disable an insert query which
      * will trigger a wpdb error for testing purposes.