Make WordPress Core

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#35000 closed enhancement (maybelater)

Strict mode for REST API endpoints

Reported by: danielbachhuber's profile danielbachhuber Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: REST API Keywords:
Focuses: Cc:


Although register_rest_route() supports registering arguments, and validation / sanitization callbacks for those arguments, a WP_REST_Request object ends up with all request data, not limited to registered arguments appropriately validated and sanitized.

For endpoint developers concerned with invalid or unsanitized data leaking through, we should offer a REST API strict mode. If a route is registered with strict mode, arguments would be required to have a validation or sanitization callback, and only registered, validated, and sanitized arguments would be present on the WP_REST_Request object.


Change History (4)

#1 @rmccue
8 years ago

IMO, we might want to keep this in plugin territory to avoid complicating the core infrastructure further. I think it's mainly useful as a development tool.

This ticket was mentioned in Slack in #core-restapi by danielbachhuber. View the logs.

8 years ago

#3 @danielbachhuber
8 years ago

  • Keywords needs-patch removed
  • Milestone 4.5 deleted
  • Resolution set to maybelater
  • Status changed from new to closed

Feature plugin works for me.

#4 @rmccue
8 years ago

#34725 was marked as a duplicate.

Note: See TracTickets for help on using tickets.