#35000 closed enhancement (maybelater)
Strict mode for REST API endpoints
Reported by: | danielbachhuber | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | REST API | Keywords: | |
Focuses: | Cc: |
Description
Although register_rest_route()
supports registering arguments, and validation / sanitization callbacks for those arguments, a WP_REST_Request
object ends up with all request data, not limited to registered arguments appropriately validated and sanitized.
For endpoint developers concerned with invalid or unsanitized data leaking through, we should offer a REST API strict mode. If a route is registered with strict mode, arguments would be required to have a validation or sanitization callback, and only registered, validated, and sanitized arguments would be present on the WP_REST_Request
object.
Change History (4)
Note: See
TracTickets for help on using
tickets.
IMO, we might want to keep this in plugin territory to avoid complicating the core infrastructure further. I think it's mainly useful as a development tool.