#38593 closed enhancement (fixed)
Make rest_parse_request_arg the default sanitize_callback for params
Reported by: | joehoyle | Owned by: | joehoyle |
---|---|---|---|
Milestone: | 4.7 | Priority: | normal |
Severity: | normal | Version: | |
Component: | REST API | Keywords: | |
Focuses: | Cc: |
Description
As our support for validating and sanitizing has got better, we are making use of it more and more throughout the codebase. Already rest_parse_request_arg
(which does all the auto validation / sanitization) is used for the schema in get_item_schema
, it makes sense to just make rest_parse_request_arg
the default sanitizer for all params if a type
is specified in the options.
This could be disabled with sanitize_callback => false
etc.
Attachments (1)
Change History (12)
This ticket was mentioned in Slack in #core-restapi by joehoyle. View the logs.
8 years ago
#3
@
8 years ago
I like this idea a lot, as it will probably help out a lot of people from inadvertently creating security issues for their own endpoint development, while still offering the flexibility to disable sanitizing entirely.
To nitpick some coding standards, inline comments must start with a capital letter and end with a full stop character usually a period. :)
#5
@
8 years ago
Seems fine to me, so long as it's clearly documented that this is the case, and that sanitize_callback
can be overridden.
This should potentially be pushed to 4.8 instead though, as it's really an enhancement and we're in beta.
@rmccue would like to get your thoughts on this.