WordPress.org

Make WordPress Core


Ignore:
Timestamp:
07/11/2020 08:32:19 PM (10 months ago)
Author:
TimothyBlynJacobs
Message:

REST API: Sanitize block renderer attributes.

In [48069] the Block Renderer was changed to register a single route for all dynamic blocks. Validation was dynamically applied based on the requested block, but sanitization was not. This commit adds the same sanitization back to the block attributes.

Props manooweb.
Fixes #50620. See #48079.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-block-renderer-controller.php

    r48069 r48437  
    7171                                return rest_validate_value_from_schema( $value, $schema );
    7272                            },
     73                            'sanitize_callback' => static function ( $value, $request ) {
     74                                $block = WP_Block_Type_Registry::get_instance()->get_registered( $request['name'] );
     75
     76                                if ( ! $block ) {
     77                                    // This will get rejected in ::get_item().
     78                                    return true;
     79                                }
     80
     81                                $schema = array(
     82                                    'type'                 => 'object',
     83                                    'properties'           => $block->get_attributes(),
     84                                    'additionalProperties' => false,
     85                                );
     86
     87                                return rest_sanitize_value_from_schema( $value, $schema );
     88                            },
    7389                        ),
    7490                        'post_id'    => array(
Note: See TracChangeset for help on using the changeset viewer.