From a59fb4e50fd8c058b22f25262e41b38846fdfc74 Mon Sep 17 00:00:00 2001
From: TimothyBlynJacobs <TimothyBlynJacobs@git.wordpress.org>
Date: Sat, 11 Jul 2020 20:34:05 +0000
Subject: [PATCH] REST API: Sanitize block renderer attributes.

In [48069] the Block Renderer was changed to register a single route for all dynamic blocks. Validation was dynamically applied based on the requested block, but sanitization was not. This commit adds the same sanitization back to the block attributes.

Props manooweb.
Fixes #50620. See #48079.

Built from https://develop.svn.wordpress.org/trunk@48437


git-svn-id: http://core.svn.wordpress.org/trunk@48206 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 .../class-wp-rest-block-renderer-controller.php  | 16 ++++++++++++++++
 wp-includes/version.php                          |  2 +-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-block-renderer-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-block-renderer-controller.php
index 3388078d05..07a389e794 100644
--- a/wp-includes/rest-api/endpoints/class-wp-rest-block-renderer-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-block-renderer-controller.php
@@ -70,6 +70,22 @@ class WP_REST_Block_Renderer_Controller extends WP_REST_Controller {
 
 								return rest_validate_value_from_schema( $value, $schema );
 							},
+							'sanitize_callback' => static function ( $value, $request ) {
+								$block = WP_Block_Type_Registry::get_instance()->get_registered( $request['name'] );
+
+								if ( ! $block ) {
+									// This will get rejected in ::get_item().
+									return true;
+								}
+
+								$schema = array(
+									'type'                 => 'object',
+									'properties'           => $block->get_attributes(),
+									'additionalProperties' => false,
+								);
+
+								return rest_sanitize_value_from_schema( $value, $schema );
+							},
 						),
 						'post_id'    => array(
 							'description' => __( 'ID of the post context.' ),
diff --git a/wp-includes/version.php b/wp-includes/version.php
index d4286b9069..ba51c17733 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -13,7 +13,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.5-beta1-48436';
+$wp_version = '5.5-beta1-48437';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.