Make WordPress Core

Opened 4 years ago

Closed 3 years ago

#49960 closed enhancement (fixed)

REST API: Support sanitize callbacks for nested properties

Reported by: ocean90's profile ocean90 Owned by: rachelbaker's profile rachelbaker
Milestone: 5.9 Priority: normal
Severity: normal Version:
Component: REST API Keywords: has-patch has-unit-tests commit needs-refresh
Focuses: Cc:


Example schema:

'foobar' => [
	'required'    => true,
	'type'        => 'object',
	'properties'  => [
		'foo' => [
			'required'          => true,
			'type'              => 'string',
			'sanitize_callback' => 'sanitize_text_field',
		'bar'    => [
			'required'          => true,
			'type'              => 'string',
			'sanitize_callback' => [ static::class, 'sanitize_bar' ],

Unfortunately, the required and sanitize_callback values are currently not used for properties. required is now handled in #48818. With support for sanitize_callback we'd have another way to enforce a specific format without much hassle.


Change History (11)

#1 @TimothyBlynJacobs
4 years ago

This would definitely be helpful. I'm not sure what the best way to go about it is.

We have rest_validate_request_from_schema, but that doesn't have any knowledge of the idea of sanitize_callback or validate_callback and I'd be hesitant to add that to what is a generic JSON schema validator/sanitizer.

Perhaps it could live in rest_validate_request_arg? Though for similar reasons as mentioned in #48818, it'd be much simpler to add it to rest_validate_value_from_schema since it handles schema traversing. Maybe we need a general purpose schema traversing function?

#2 @TimothyBlynJacobs
3 years ago

  • Keywords reporter-feedback added

@ocean90 Could you share some examples of what kind of validation you would want to do in these instances?

I've been thinking that this might be better served by an API to register a JSON Schema format.

#3 @ocean90
3 years ago

  • Keywords reporter-feedback removed

@TimothyBlynJacobs Since I just stumbled upon this again, the most common so far is limiting a field to only plain strings without any HTML like sanitize_text_field() (or sanitize_textarea_field() does for us.
Maybe it's common enough to be added as a default text-field format?

#4 @TimothyBlynJacobs
3 years ago

I'm definitely +1 for a text-field format.

This ticket was mentioned in PR #1187 on WordPress/wordpress-develop by ocean90.

3 years ago

  • Keywords has-patch has-unit-tests added; needs-patch needs-unit-tests removed

Probably going to create a separate ticket for this enhancement but it's related to #WP49960.

So far the formats are only used in rest_sanitize_value_from_schema() because I'm not sure how a validation should look like. Do we need one?

Trac ticket:

#6 @rachelbaker
3 years ago

  • Keywords commit added
  • Milestone changed from Awaiting Review to 5.8
  • Owner set to rachelbaker
  • Status changed from new to accepted

#7 @desrosj
3 years ago

  • Milestone changed from 5.8 to 5.9

Today is 5.8 feature freeze. Unfortunately this one ran out of time.

Punting to 5.9 as there has been good recent momentum.

This ticket was mentioned in Slack in #core-restapi by spacedmonkey. View the logs.

3 years ago

#9 @spacedmonkey
3 years ago

This ticket was discussed in the REST-API core meeting. The patch seems sound. As this ticket is assigned to @rachelbaker I will leave it to her to review. If we do not hear back in a couple of week, @TimothyBlynJacobs may take over this ticket to commit for 5.9.

#10 @rachelbaker
3 years ago

  • Keywords needs-refresh added

#11 @rachelbaker
3 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 51908:

REST API: Add text-field and textarea-field as available schema formats for string sanitization.

Props ocean90, TimothyBlynJacobs.
Fixes #49960.

Note: See TracTickets for help on using tickets.