REST API: Avoid default sanitization for polymorphic params.

Some parameters (`title`, `content`, etc) are objects in the output, but allow objects or strings to be sent in updates for a more ergonomic interface. This is pretty weird behaviour, so the default sanitisation doesn't handle this. We instead handle this ourselves in the preparation. Props joehoyle, rachelbaker. Fixes #38529. Built from https://develop.svn.wordpress.org/trunk@39089 git-svn-id: http://core.svn.wordpress.org/trunk@39031 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-11-02 06:02:29 +00:00 · 2016-11-02 06:02:29 +00:00 · a911bf7e2c
parent 6f13b8291d
commit a911bf7e2c
3 changed files with 13 additions and 1 deletions
--- a/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
@ -1132,6 +1132,9 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
 					'description'     => __( 'The content for the object.' ),
 					'type'            => 'object',
 					'context'         => array( 'view', 'edit', 'embed' ),
+					'arg_options'     => array(
+						'sanitize_callback' => null, // Note: sanitization implemented in self::prepare_item_for_database()
+					),
 					'properties'      => array(
 						'raw'         => array(
 							'description'     => __( 'Content for the object, as it exists in the database.' ),
--- a/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
@ -1813,6 +1813,9 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 						'description' => __( 'The title for the object.' ),
 						'type'        => 'object',
 						'context'     => array( 'view', 'edit', 'embed' ),
+						'arg_options' => array(
+							'sanitize_callback' => null, // Note: sanitization implemented in self::prepare_item_for_database()
+						),
 						'properties'  => array(
 							'raw' => array(
 								'description' => __( 'Title for the object, as it exists in the database.' ),
@ -1834,6 +1837,9 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 						'description' => __( 'The content for the object.' ),
 						'type'        => 'object',
 						'context'     => array( 'view', 'edit' ),
+						'arg_options' => array(
+							'sanitize_callback' => null, // Note: sanitization implemented in self::prepare_item_for_database()
+						),
 						'properties'  => array(
 							'raw' => array(
 								'description' => __( 'Content for the object, as it exists in the database.' ),
@ -1869,6 +1875,9 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 						'description' => __( 'The excerpt for the object.' ),
 						'type'        => 'object',
 						'context'     => array( 'view', 'edit', 'embed' ),
+						'arg_options' => array(
+							'sanitize_callback' => null, // Note: sanitization implemented in self::prepare_item_for_database()
+						),
 						'properties'  => array(
 							'raw' => array(
 								'description' => __( 'Excerpt for the object, as it exists in the database.' ),
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -4,7 +4,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '4.7-beta1-39088';
+$wp_version = '4.7-beta1-39089';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.