[wp-trac] [WordPress Trac] #38583: Support for objects in schema validation and sanitization
WordPress Trac
noreply at wordpress.org
Mon Oct 23 18:53:22 UTC 2017
#38583: Support for objects in schema validation and sanitization
----------------------------------------+-----------------------
Reporter: rachelbaker | Owner: rmccue
Type: enhancement | Status: reopened
Priority: high | Milestone: 4.9
Component: REST API | Version: 4.7
Severity: major | Resolution:
Keywords: has-unit-tests needs-patch | Focuses:
----------------------------------------+-----------------------
Comment (by rmccue):
I disagree with @joehoyle here, primarily for the reason of consistency.
The root object is essentially the same as any nested object. The root
object has always, and should always, allow additional properties (this
allows us forwards-compatibility, pluggability, etc).
If the behaviour of `additionalProperties` doesn't match, then we can
never do nested schemas; e.g. if I have a schema which references another
schema, then the same data should be allowed for both types. If additional
properties are not allowed, then the behaviour is much different, and
forwards-compat/etc will be harder.
Is this potentially unsafe by default? Sure, in the same way that `(array)
$request` is currently unsafe. Consistency matters more in this case.
That's not to say we shouldn't allow the opposite for developers that want
that. A "strict mode" is something we've talked about for a while, but
never really implemented.
For settings/meta registration, it's probably a good idea to set the
default there to avoid saving arbitrary data, since the expectation will
be that your setting/meta is strict. That is ''not'' the same expectation
as request input data though.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38583#comment:38>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list