[wp-trac] [WordPress Trac] #38583: Support for objects in schema validation and sanitization

WordPress Trac noreply at wordpress.org
Mon Oct 23 18:53:22 UTC 2017


#38583: Support for objects in schema validation and sanitization
----------------------------------------+-----------------------
 Reporter:  rachelbaker                 |       Owner:  rmccue
     Type:  enhancement                 |      Status:  reopened
 Priority:  high                        |   Milestone:  4.9
Component:  REST API                    |     Version:  4.7
 Severity:  major                       |  Resolution:
 Keywords:  has-unit-tests needs-patch  |     Focuses:
----------------------------------------+-----------------------

Comment (by rmccue):

 I disagree with @joehoyle here, primarily for the reason of consistency.
 The root object is essentially the same as any nested object. The root
 object has always, and should always, allow additional properties (this
 allows us forwards-compatibility, pluggability, etc).

 If the behaviour of `additionalProperties` doesn't match, then we can
 never do nested schemas; e.g. if I have a schema which references another
 schema, then the same data should be allowed for both types. If additional
 properties are not allowed, then the behaviour is much different, and
 forwards-compat/etc will be harder.

 Is this potentially unsafe by default? Sure, in the same way that `(array)
 $request` is currently unsafe. Consistency matters more in this case.

 That's not to say we shouldn't allow the opposite for developers that want
 that. A "strict mode" is something we've talked about for a while, but
 never really implemented.

 For settings/meta registration, it's probably a good idea to set the
 default there to avoid saving arbitrary data, since the expectation will
 be that your setting/meta is strict. That is ''not'' the same expectation
 as request input data though.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38583#comment:38>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list