Changeset 48437

Timestamp:

07/11/2020 08:32:19 PM (5 years ago)

Author:

TimothyBlynJacobs

Message:

REST API: Sanitize block renderer attributes.

In [48069] the Block Renderer was changed to register a single route for all dynamic blocks. Validation was dynamically applied based on the requested block, but sanitization was not. This commit adds the same sanitization back to the block attributes.

Props manooweb.
Fixes #50620. See #48079.

Location:

trunk

Files:

• package-lock.json (modified) (3 diffs)
• src/wp-includes/rest-api/endpoints/class-wp-rest-block-renderer-controller.php (modified) (1 diff)
• tests/phpunit/tests/rest-api/rest-block-renderer-controller.php (modified) (5 diffs)

trunk/package-lock.json

@@ -5940 +5940 @@
                 "kind-of": {
                     "version": "6.0.2",
-                    "resolved": "",
+                    "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz",
+                    "integrity": "sha512-s5kLOcnH0XqDO+FvuaLX8DDjZ18CGFk7VygH40QoKPUQhW4e2rvM0rwUq0t8IQDOwYSeLK01U90OjzBTme2QqA==",
                     "dev": true
                 }
@@ -10567 +10568 @@
                 "kind-of": {
                     "version": "6.0.2",
-                    "resolved": "",
+                    "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz",
+                    "integrity": "sha512-s5kLOcnH0XqDO+FvuaLX8DDjZ18CGFk7VygH40QoKPUQhW4e2rvM0rwUq0t8IQDOwYSeLK01U90OjzBTme2QqA==",
                     "dev": true
                 }
@@ -23585 +23587 @@
                 "kind-of": {
                     "version": "6.0.2",
-                    "resolved": "",
+                    "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz",
+                    "integrity": "sha512-s5kLOcnH0XqDO+FvuaLX8DDjZ18CGFk7VygH40QoKPUQhW4e2rvM0rwUq0t8IQDOwYSeLK01U90OjzBTme2QqA==",
                     "dev": true
                 }

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-block-renderer-controller.php

@@ -71 +71 @@
                                 return rest_validate_value_from_schema( $value, $schema );
                             },
+                            'sanitize_callback' => static function ( $value, $request ) {
+                                $block = WP_Block_Type_Registry::get_instance()->get_registered( $request['name'] );
+
+                                if ( ! $block ) {
+                                    // This will get rejected in ::get_item().
+                                    return true;
+                                }
+
+                                $schema = array(
+                                    'type'                 => 'object',
+                                    'properties'           => $block->get_attributes(),
+                                    'additionalProperties' => false,
+                                );
+
+                                return rest_sanitize_value_from_schema( $value, $schema );
+                            },
                         ),
                         'post_id'    => array(

trunk/tests/phpunit/tests/rest-api/rest-block-renderer-controller.php

@@ -57 +57 @@
 
     /**
+     * Dynamic block with boolean attributes block name.
+     *
+     * @since 5.5.0
+     *
+     * @var string
+     */
+    protected static $dynamic_block_with_boolean_attributes_block_name = 'core/dynamic-block-with-boolean-attributes';
+
+    /**
      * Test API user's ID.
      *
@@ -128 +137 @@
         $this->register_post_context_test_block();
         $this->register_non_dynamic_block();
+        $this->register_dynamic_block_with_boolean_attributes();
         parent::setUp();
     }
@@ -140 +150 @@
         WP_Block_Type_Registry::get_instance()->unregister( self::$context_block_name );
         WP_Block_Type_Registry::get_instance()->unregister( self::$non_dynamic_block_name );
+        WP_Block_Type_Registry::get_instance()->unregister( self::$dynamic_block_with_boolean_attributes_block_name );
         parent::tearDown();
     }
@@ -197 +208 @@
 
     /**
+     * Registers the dynamic with boolean attributes block name.
+     *
+     * @since 5.5.0
+     */
+    protected function register_dynamic_block_with_boolean_attributes() {
+        register_block_type(
+            self::$dynamic_block_with_boolean_attributes_block_name,
+            array(
+                'attributes'      => array(
+                    'boolean_true_attribute'  => array(
+                        'type'    => 'boolean',
+                        'default' => true,
+                    ),
+                    'boolean_false_attribute' => array(
+                        'type'    => 'boolean',
+                        'default' => false,
+                    ),
+                ),
+                'render_callback' => array( $this, 'render_test_block' ),
+            )
+        );
+    }
+
+    /**
      * Test render callback.
      *
@@ -524 +559 @@
 
     /**
+     * @ticket 50620
+     */
+    public function test_get_sanitized_attributes_for_dynamic_block_with_boolean_attributes() {
+        wp_set_current_user( self::$user_id );
+
+        $request = new WP_REST_Request( 'GET', self::$rest_api_route . self::$dynamic_block_with_boolean_attributes_block_name );
+
+        $attributes = array(
+            'boolean_true_attribute'  => 'true',
+            'boolean_false_attribute' => 'false',
+        );
+
+        $expected = array(
+            'boolean_true_attribute'  => true,
+            'boolean_false_attribute' => false,
+        );
+
+        $request->set_param( 'context', 'edit' );
+        $request->set_param( 'attributes', $attributes );
+        $response = rest_get_server()->dispatch( $request );
+        $this->assertEquals( 200, $response->get_status() );
+        $data = $response->get_data();
+
+        $this->assertSame( $expected, json_decode( $data['rendered'], true ) );
+    }
+
+    /**
      * Get item schema.
      *