Require registered endpoints arguments to have a validate or sanitize callback

[danielbachhuber]

From ​https://github.com/WP-API/WP-API/pull/1281#issuecomment-111337989:

We're going to tone this one down a bit. Instead of requiring all arguments to be registered, we're going to require all registered arguments to have either a validation callback or a sanitisation callback (or both!). This stops people from accidentally misspelling validate_callback/sanitize_callback, but won't stop them from accessing other unregistered arguments.

Currently, developers can register arguments without any default form of validation or sanitization.

Original issue on Github: ​https://github.com/WP-API/WP-API/issues/1223

[danielbachhuber]

From the Slack conversation, some of the options present to us:

• Default to sanitize_text_field() when no validation or sanitization callback is specified, but this can't guarantee security.
• Silently discard the argument if validation or sanitization hasn’t been specified.
• Error any misspelled callbacks, but don't require one. register_setting() has these callbacks as optional.

[danielbachhuber]

Bumping this out of 4.4

Personally, I still think we should discard any arguments that haven’t been explicitly registered. But, it seems like the consensus is the opposite: let the arguments through, even if they haven't been registered, or don't have validation / sanitization callbacks.

Eventually, we could trigger an error if the validation or sanitization callback is invalid. But, that doesn't need to happen for 4.4

[rmccue]

Duplicate of #35000.