From a911bf7e2c3847638a7cda3e8e476a657aaf656e Mon Sep 17 00:00:00 2001 From: Ryan McCue Date: Wed, 2 Nov 2016 06:02:29 +0000 Subject: [PATCH] REST API: Avoid default sanitization for polymorphic params. Some parameters (`title`, `content`, etc) are objects in the output, but allow objects or strings to be sent in updates for a more ergonomic interface. This is pretty weird behaviour, so the default sanitisation doesn't handle this. We instead handle this ourselves in the preparation. Props joehoyle, rachelbaker. Fixes #38529. Built from https://develop.svn.wordpress.org/trunk@39089 git-svn-id: http://core.svn.wordpress.org/trunk@39031 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- .../endpoints/class-wp-rest-comments-controller.php | 3 +++ .../endpoints/class-wp-rest-posts-controller.php | 9 +++++++++ wp-includes/version.php | 2 +- 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php index a842fc2986..3454dc1906 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php @@ -1132,6 +1132,9 @@ class WP_REST_Comments_Controller extends WP_REST_Controller { 'description' => __( 'The content for the object.' ), 'type' => 'object', 'context' => array( 'view', 'edit', 'embed' ), + 'arg_options' => array( + 'sanitize_callback' => null, // Note: sanitization implemented in self::prepare_item_for_database() + ), 'properties' => array( 'raw' => array( 'description' => __( 'Content for the object, as it exists in the database.' ), diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php index 7c801a4c44..4beda26210 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php @@ -1813,6 +1813,9 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { 'description' => __( 'The title for the object.' ), 'type' => 'object', 'context' => array( 'view', 'edit', 'embed' ), + 'arg_options' => array( + 'sanitize_callback' => null, // Note: sanitization implemented in self::prepare_item_for_database() + ), 'properties' => array( 'raw' => array( 'description' => __( 'Title for the object, as it exists in the database.' ), @@ -1834,6 +1837,9 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { 'description' => __( 'The content for the object.' ), 'type' => 'object', 'context' => array( 'view', 'edit' ), + 'arg_options' => array( + 'sanitize_callback' => null, // Note: sanitization implemented in self::prepare_item_for_database() + ), 'properties' => array( 'raw' => array( 'description' => __( 'Content for the object, as it exists in the database.' ), @@ -1869,6 +1875,9 @@ class WP_REST_Posts_Controller extends WP_REST_Controller { 'description' => __( 'The excerpt for the object.' ), 'type' => 'object', 'context' => array( 'view', 'edit', 'embed' ), + 'arg_options' => array( + 'sanitize_callback' => null, // Note: sanitization implemented in self::prepare_item_for_database() + ), 'properties' => array( 'raw' => array( 'description' => __( 'Excerpt for the object, as it exists in the database.' ), diff --git a/wp-includes/version.php b/wp-includes/version.php index f454ea2184..b270e2c68c 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.7-beta1-39088'; +$wp_version = '4.7-beta1-39089'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.