REST API controllers should not use the default sanitizers for polymorphic arguments

[joehoyle]

See ​https://github.com/WP-API/WP-API/pull/2853 for more details, essentially we don't want to use the default jsonschema validation in the case of the polymorphic values such as "content", "title" and "excerpt". When we support validating objects, we don't want to use that option.

[rachelbaker]

@joehoyle The comment here is a little confusing. Note: sanitization implemented in callback. would lead me to expect there SHOULD be a callback function set here.
Instead, you are setting the sanitize_callback to null and instead the sanitization/validation is handled within the controllers prepare_item_for_database() method.

[rachelbaker]

Would also be good to add unit tests to make sure we don't accidentally set the sanitize or validate callbacks.

[joehoyle]

@rachelbaker it's pretty tricky to get a test in here, as we'd have to just manually check against the internal schema, I think given that it's explicitly set to null and documented I think it's ok though. Updated refresh patch with better docs.

[rmccue]

In 39089:

REST API: Avoid default sanitization for polymorphic params.

Some parameters (title, content, etc) are objects in the output, but allow objects or strings to be sent in updates for a more ergonomic interface. This is pretty weird behaviour, so the default sanitisation doesn't handle this. We instead handle this ourselves in the preparation.

Props joehoyle, rachelbaker.
Fixes #38529.