Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#38529 closed defect (bug) (fixed)

REST API controllers should not use the default sanitizers for polymorphic arguments

Reported by: joehoyle's profile joehoyle Owned by: joehoyle's profile joehoyle
Milestone: 4.7 Priority: normal
Severity: normal Version:
Component: REST API Keywords: has-patch needs-refresh
Focuses: Cc:


See for more details, essentially we don't want to use the default jsonschema validation in the case of the polymorphic values such as "content", "title" and "excerpt". When we support validating objects, we don't want to use that option.

Attachments (2)

38529.diff (2.6 KB) - added by joehoyle 7 years ago.
38529.2.diff (2.5 KB) - added by joehoyle 7 years ago.

Download all attachments as: .zip

Change History (7)

7 years ago

#1 @rachelbaker
7 years ago

  • Keywords commit added
  • Owner set to rachelbaker
  • Status changed from new to assigned

#2 @rachelbaker
7 years ago

  • Keywords has-patch needs-refresh added; commit removed
  • Owner changed from rachelbaker to joehoyle

@joehoyle The comment here is a little confusing. Note: sanitization implemented in callback. would lead me to expect there SHOULD be a callback function set here.
Instead, you are setting the sanitize_callback to null and instead the sanitization/validation is handled within the controllers prepare_item_for_database() method.

#3 @rachelbaker
7 years ago

Would also be good to add unit tests to make sure we don't accidentally set the sanitize or validate callbacks.

7 years ago

#4 @joehoyle
7 years ago

@rachelbaker it's pretty tricky to get a test in here, as we'd have to just manually check against the internal schema, I think given that it's explicitly set to null and documented I think it's ok though. Updated refresh patch with better docs.

#5 @rmccue
7 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 39089:

REST API: Avoid default sanitization for polymorphic params.

Some parameters (title, content, etc) are objects in the output, but allow objects or strings to be sent in updates for a more ergonomic interface. This is pretty weird behaviour, so the default sanitisation doesn't handle this. We instead handle this ourselves in the preparation.

Props joehoyle, rachelbaker.
Fixes #38529.

Note: See TracTickets for help on using tickets.