[wp-trac] [WordPress Trac] #38583: Support for objects in schema validation and sanitization

WordPress Trac noreply at wordpress.org
Thu Oct 5 21:17:55 UTC 2017 

#38583: Support for objects in schema validation and sanitization
---------------------------------------------------+---------------------
 Reporter:  rachelbaker                            |       Owner:  rmccue
     Type:  enhancement                            |      Status:  closed
 Priority:  high                                   |   Milestone:  4.9
Component:  REST API                               |     Version:  4.7
 Severity:  normal                                 |  Resolution:  fixed
 Keywords:  has-patch has-unit-tests dev-feedback  |     Focuses:
---------------------------------------------------+---------------------

Comment (by mnelson4):

 This is a nice feature we will definetely use in our plugin!
 Unfortunately, the only reason I learned about it was because it broke our
 plugin's unit tests! :)

 Our custom REST API endpoints accept a query parameterof type "object"
 which has a pretty complex structure, so we were performing our validation
 on it later in the request. However, this change now has validation
 kicking in early and wiping the object right away. So, our previous valid
 query params are now being marked as invalid.

 eg, this is the info in the WP REST API index page about the endpoint


 {{{

 "/ee/v4.8.36/datetimes": {
             "namespace": "ee/v4.8.36",
             "methods": [
                 "GET",
                 "POST"
             ],
             "endpoints": [
                 {
                     "methods": [
                         "GET"
                     ],
                     "args": {
                         "where": {
                             "required": false,
                             "default": [],
                             "type": "object"
                         },
 }}}

 A request like `mysite.com/wp-
 json/ee/v4.8.36/datetimes?where[DTT_EVT_start]=2017-01-01T00:00:00` used
 to only show the datetimes where their `DTT_EVT_start` property matched
 January 1st 2017, but this new validation removes that condition because
 it only considers an empty object to be a valid value for the `where` arg.

 I'm not sure if other plugin developers or users with custom endpoints
 will experience the same issue.

 I'd suggest: if `$args['properties']` is empty inside
 `rest_sanitize_value_from_schema`, that no validation should occur (for
 backward compatibility, that was the previous behaviour), instead of only
 considering an empty object valid (current behaviour).

 ie, inside `rest_sanitize_value_from_schema`, replace the code that deals
 with args of type object with this
 {{{#!php
 if ( 'object' === $args['type'] ) {
                 if ($value instanceof stdClass) {
                         $value = (array)$value;
                 }
                 if (! is_array($value)) {
                         return array();
                 }
                 if (isset($args['properties'])) {// <--- new
                         foreach ($value as $property => $v) {
                                 if (!
 isset($args['properties'][$property])) {
                                         unset($value[$property]);
                                         continue;
                                 }
                                 $value[$property] =
 rest_sanitize_value_from_schema($v, $args['properties'][$property]);
                         }
                 }// <---- new
 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38583#comment:20>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list