REST API: Sanitize block renderer attributes.

In [48069] the Block Renderer was changed to register a single route for all dynamic blocks. Validation was dynamically applied based on the requested block, but sanitization was not. This commit adds the same sanitization back to the block attributes. Props manooweb. Fixes #50620. See #48079. Built from https://develop.svn.wordpress.org/trunk@48437 git-svn-id: http://core.svn.wordpress.org/trunk@48206 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-07-11 20:34:05 +00:00 · 2020-07-11 20:34:05 +00:00 · a59fb4e50f
parent 7b61df725e
commit a59fb4e50f
2 changed files with 17 additions and 1 deletions
--- a/wp-includes/rest-api/endpoints/class-wp-rest-block-renderer-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-block-renderer-controller.php
@ -70,6 +70,22 @@ class WP_REST_Block_Renderer_Controller extends WP_REST_Controller {

 								return rest_validate_value_from_schema( $value, $schema );
 							},
+							'sanitize_callback' => static function ( $value, $request ) {
+								$block = WP_Block_Type_Registry::get_instance()->get_registered( $request['name'] );
+
+								if ( ! $block ) {
+									// This will get rejected in ::get_item().
+									return true;
+								}
+
+								$schema = array(
+									'type'                 => 'object',
+									'properties'           => $block->get_attributes(),
+									'additionalProperties' => false,
+								);
+
+								return rest_sanitize_value_from_schema( $value, $schema );
+							},
 						),
 						'post_id'    => array(
 							'description' => __( 'ID of the post context.' ),
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -13,7 +13,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '5.5-beta1-48436';
+$wp_version = '5.5-beta1-48437';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.