REST API: Allow sanitization_callback to be set to null to bypass `rest_parse_request_arg()`

[rachelbaker]

In #38593 we use the default callback for a property type if it is set, but you cannot override this behavior.

As an example, if you have a property schema like:

'some_email'     => array(
    'description'  => __( 'Email address for ...' ),
    'type'          => 'string',
    'format'       => 'email',
    'arg_options'  => array(
        'sanitize_callback' => null, // SHOULD skip built-in saniziation of 'email' type.
        'validate_callback' => 'custom_callback',
    ),
),

The logic in WP_REST_Request->sanitize_params() that was added in [39091] does not account for null being the sanitization_callback which then results in rest_parse_request_arg() being set to the callback, which runs both default sanitization and validation functions.

See: https://core.trac.wordpress.org/browser/trunk/src/wp-includes/rest-api/class-wp-rest-request.php?annotate=blame#L823

[rachelbaker]

One way we can check if sanitization_callback is null would be to add a check for array_key_exists( 'sanitize_callback', $attributes['args'][ $key ] ).

We should also add a unit test as @jnylen0 suggested in the original ticket: https://core.trac.wordpress.org/ticket/38593#comment:4

[kkoppenhaver]

Working on this one at WCUS Contributor day, thanks @rachelbaker!

[rachelbaker]

Thanks for the patch @kkoppenhaver.

I wish there was a better way to structure this logic, so we didn't need to nest the ! array_key_exists() conditional, but I didn't see an obvious way around it.

[rachelbaker]

Adds unit tests

[rachelbaker]

39042.2.diff​ adds unit tests for null and false sanitization_callback values.

[rachelbaker]

@joehoyle would like your eyes on 39042.2.diff​, would love a better approach than the nested conditional.

[joehoyle]

This looks good to me, I had incorrectly assumed isset was going to fail on null, but I guess that's not the case.

[jnylen0]

Cleaner code and tests

[jnylen0]

In 39042.3.diff​:

• Restructure this code block a bit more to get rid of the nested conditional and shorten up some long lines
• One assertion per test (separate tests for null and false)

I also removed the @ticket annotation from the tests as I don't think it adds much value: I'm not sure why you'd need this information, but if you do, you can find it via blame.

[rachelbaker]

In 39563:

REST API: Allow schema sanitization_callback to be set to null to bypass fallback sanitization functions.

The logic in WP_REST_Request->sanitize_params() added in [39091] did not account for null or false being the sanitization_callback preventing overriding rest_parse_request_arg(). This fixes that oversight, allowing the built in sanitization function to be bypassed. See #38593.

Props kkoppenhaver, rachelbaker, jnylen0.
Fixes #39042.

[rachelbaker]

In 39642:

REST API: Allow schema sanitization_callback to be set to null to bypass fallback sanitization functions.

The logic in WP_REST_Request->sanitize_params() added in [39091] did not account for null or false being the sanitization_callback preventing overriding rest_parse_request_arg(). This fixes that oversight, allowing the built in sanitization function to be bypassed. See #38593.

Merges [39563] to the 4.7 branch.

Props kkoppenhaver, rachelbaker, jnylen0.
Fixes #39042.