Changeset 61765

Timestamp:

02/27/2026 10:58:26 PM (2 months ago)

Author:

westonruter

Message:

REST API: Prevent fatal error when non-string value is passed in endpoints for font faces and font families.

The value is expected to be a serialized JSON string, which the validation callback validates.

Developed in ​https://github.com/WordPress/wordpress-develop/pull/10966

Follow-up to r57548.

Props deepaklalwani, westonruter.
See #59166.
Fixes #64666.

Location:

trunk

Files:

• src/wp-includes/rest-api/endpoints/class-wp-rest-font-faces-controller.php (modified) (1 diff)
• src/wp-includes/rest-api/endpoints/class-wp-rest-font-families-controller.php (modified) (1 diff)
• tests/phpunit/tests/fonts/font-library/wpRestFontFacesController.php (modified) (1 diff)
• tests/phpunit/tests/fonts/font-library/wpRestFontFamiliesController.php (modified) (2 diffs)

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-font-faces-controller.php

@@ -162 +162 @@
      */
     public function validate_create_font_face_settings( $value, $request ) {
+        // Enforce JSON Schema validity for field before applying custom validation logic.
+        $args     = $this->get_create_params();
+        $validity = rest_validate_value_from_schema( $value, $args['font_face_settings'], 'font_face_settings' );
+
+        if ( is_wp_error( $validity ) ) {
+            return $validity;
+        }
+
         $settings = json_decode( $value, true );
 

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-font-families-controller.php

@@ -88 +88 @@
      */
     public function validate_font_family_settings( $value, $request ) {
+        // Enforce JSON Schema validity for field before applying custom validation logic.
+        $args     = $this->get_endpoint_args_for_item_schema( $request->get_method() );
+        $validity = rest_validate_value_from_schema( $value, $args['font_family_settings'], 'font_family_settings' );
+
+        if ( is_wp_error( $validity ) ) {
+            return $validity;
+        }
+
         $settings = json_decode( $value, true );
 

trunk/tests/phpunit/tests/fonts/font-library/wpRestFontFacesController.php

@@ -766 +766 @@
         $this->assertErrorResponse( 'rest_invalid_param', $response, 400, 'The response should return an error for "rest_invalid_param" with 400 status.' );
         $expected_message = 'font_face_settings parameter must be a valid JSON string.';
+        $message          = $response->as_error()->get_all_error_data()[0]['params']['font_face_settings'];
+        $this->assertSame( $expected_message, $message, 'The response error message should match.' );
+    }
+
+    /**
+     * @covers WP_REST_Font_Faces_Controller::validate_create_font_face_settings
+     */
+    public function test_create_item_non_string_settings() {
+        wp_set_current_user( self::$admin_id );
+        $request = new WP_REST_Request( 'POST', '/wp/v2/font-families/' . self::$font_family_id . '/font-faces' );
+        $request->set_param( 'theme_json_version', WP_REST_Font_Faces_Controller::LATEST_THEME_JSON_VERSION_SUPPORTED );
+        $request->set_param( 'font_face_settings', self::$default_settings );
+
+        $response = rest_get_server()->dispatch( $request );
+
+        $this->assertErrorResponse( 'rest_invalid_param', $response, 400, 'The response should return an error for "rest_invalid_param" with 400 status.' );
+        $expected_message = 'font_face_settings is not of type string.';
         $message          = $response->as_error()->get_all_error_data()[0]['params']['font_face_settings'];
         $this->assertSame( $expected_message, $message, 'The response error message should match.' );

trunk/tests/phpunit/tests/fonts/font-library/wpRestFontFamiliesController.php

@@ -630 +630 @@
 
     /**
+     * @covers WP_REST_Font_Family_Controller::validate_font_family_settings
+     */
+    public function test_create_item_non_string_settings() {
+        wp_set_current_user( self::$admin_id );
+        $request = new WP_REST_Request( 'POST', '/wp/v2/font-families' );
+        $request->set_param( 'theme_json_version', WP_REST_Font_Families_Controller::LATEST_THEME_JSON_VERSION_SUPPORTED );
+        $request->set_param( 'font_family_settings', self::$default_settings );
+
+        $response = rest_get_server()->dispatch( $request );
+
+        $this->assertErrorResponse( 'rest_invalid_param', $response, 400, 'The response should return an error for "rest_invalid_param" with 400 status.' );
+        $expected_message = 'font_family_settings is not of type string.';
+        $message          = $response->as_error()->get_all_error_data()[0]['params']['font_family_settings'];
+        $this->assertSame( $expected_message, $message, 'The response error message should match.' );
+    }
+
+    /**
      * @covers WP_REST_Font_Family_Controller::create_item
      */
@@ -831 +848 @@
 
     /**
+     * @covers WP_REST_Font_Family_Controller::validate_font_family_settings
+     */
+    public function test_update_item_non_string_settings() {
+        wp_set_current_user( self::$admin_id );
+        $request = new WP_REST_Request( 'POST', '/wp/v2/font-families/' . self::$font_family_id1 );
+        $request->set_param( 'font_family_settings', self::$default_settings );
+
+        $response = rest_get_server()->dispatch( $request );
+
+        $this->assertErrorResponse( 'rest_invalid_param', $response, 400, 'The response should return an error for "rest_invalid_param" with 400 status.' );
+        $expected_message = 'font_family_settings is not of type string.';
+        $message          = $response->as_error()->get_all_error_data()[0]['params']['font_family_settings'];
+        $this->assertSame( $expected_message, $message, 'The response error message should match.' );
+    }
+
+    /**
      * @covers WP_REST_Font_Families_Controller::update_item
      */