[wp-trac] [WordPress Trac] #34893: Improve Customizer setting validation model

WordPress Trac noreply at wordpress.org
Tue Jan 12 21:36:53 UTC 2016


#34893: Improve Customizer setting validation model
-------------------------------------+--------------------------
 Reporter:  westonruter              |       Owner:  westonruter
     Type:  enhancement              |      Status:  accepted
 Priority:  normal                   |   Milestone:  4.5
Component:  Customize                |     Version:  3.4
 Severity:  normal                   |  Resolution:
 Keywords:  has-patch needs-testing  |     Focuses:  javascript
-------------------------------------+--------------------------
Description changed by westonruter:

Old description:

> Customizer setting values need to be able to be validated and for any
> validation errors to block the Customizer from saving any setting until
> all are valid.
>
> Settings in the Customizer rely on sanitization to ensure that only valid
> values get persisted to the database. The sanitization in the Customizer
> generally allows values to be passed through to be persisted and does not
> enforce validation that blocks the saving of the value. This is in large
> part because there is no standard facility for showing error messages
> relating to Customizer controls, and there is no standard method to raise
> validation errors. A Customizer setting ''can'' be blocked from being
> saved by returning `null` from the `WP_Customize_Setting::sanitize()`
> method (i.e. generally returned via `customize_sanitize_{$setting_id}`).
> When this is done, however, the modified value completely disappears from
> the preview with no indication for why the value seems to be reset to the
> default.
>
> In JavaScript there is the `wp.customize.Setting.prototype.validate()`
> method that can be extended to return `null` in the case where the value
> should be rejected, but again this does not provide a way to display a
> validation message: the user can be entering data but they just stop
> seeing the value making changes in the preview without any feedback. Even
> worse, if the JS `validate` method actually manipulates the value to make
> it valid, there can be strange behavior in the UI as the user provides
> input, likely having to do with the two-way data binding of
> `wp.customize.Element` instances.
>
> Furthermore, if one setting is blocked from being saved by means of
> validation in the sanitization method, the other settings in the
> Customizer state may very well be completely valid, and thus they would
> save successfully. The result is that some settings would get saved,
> whereas others would not, and the user wouldn't know which were
> successful and which failed (again, since there is no standard mechanism
> for showing validation error message). The Customizer state would only
> partially get persisted to the database. This isn't good.
>
> We need to improve the Customizer by:
>
> * Validating settings on server before save.
> * Displaying validation error messages from server and from JS client.
> * Performing transactional/atomic setting saving, rejecting all settings
> if one is invalid.
>
> Since the `WP_Customize_Setting::sanitize()` already partially supports
> validation by returning `null`, we can build on that to also allow it to
> return a `WP_Error` object. We'd want to retain the regular fuzzy
> sanitization during preview updates, but during the `customize_save`
> action we'd want to impose a strict pass/fail for setting validation.
>
> This is closely related and complimentary to #30937: Add Customizer
> transactions
>
> For the notification bar to display validation error messages, see
> #35210.

New description:

 Customizer setting values need to be able to be validated and for any
 validation errors to block the Customizer from saving any setting until
 all are valid.

 Settings in the Customizer rely on sanitization to ensure that only valid
 values get persisted to the database. The sanitization in the Customizer
 generally allows values to be passed through to be persisted and does not
 enforce validation that blocks the saving of the value. This is in large
 part because there is no standard facility for showing error messages
 relating to Customizer controls, and there is no standard method to raise
 validation errors. A Customizer setting ''can'' be blocked from being
 saved by returning `null` from the `WP_Customize_Setting::sanitize()`
 method (i.e. generally returned via `customize_sanitize_{$setting_id}`).
 When this is done, however, the modified value completely disappears from
 the preview with no indication for why the value seems to be reset to the
 default.

 In JavaScript there is the `wp.customize.Setting.prototype.validate()`
 method that can be extended to return `null` in the case where the value
 should be rejected, but again this does not provide a way to display a
 validation message: the user can be entering data but they just stop
 seeing the value making changes in the preview without any feedback. Even
 worse, if the JS `validate` method actually manipulates the value to make
 it valid, there can be strange behavior in the UI as the user provides
 input, likely having to do with the two-way data binding of
 `wp.customize.Element` instances.

 Furthermore, if one setting is blocked from being saved by means of
 validation in the sanitization method, the other settings in the
 Customizer state may very well be completely valid, and thus they would
 save successfully. The result is that some settings would get saved,
 whereas others would not, and the user wouldn't know which were successful
 and which failed (again, since there is no standard mechanism for showing
 validation error message). The Customizer state would only partially get
 persisted to the database. This isn't good.

 We need to improve the Customizer by:

 * Validating settings on server before save.
 * Displaying validation error messages from server and from JS client.
 * Performing transactional/atomic setting saving, rejecting all settings
 if one is invalid.

 Since the `WP_Customize_Setting::sanitize()` already partially supports
 validation by returning `null`, we can build on that to also allow it to
 return a `WP_Error` object. We'd want to retain the regular fuzzy
 sanitization during preview updates, but during the `customize_save`
 action we'd want to impose a strict pass/fail for setting validation.

 This is closely related and complimentary to #30937: Add Customizer
 transactions

 For the notification bar to display validation error messages, see #35210.

 Feature plugin: https://github.com/xwp/wp-customize-setting-validation

--

--
Ticket URL: <https://core.trac.wordpress.org/ticket/34893#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list