REST API: Avoid default sanitization for polymorphic params.

Some parameters (`title`, `content`, etc) are objects in the output, but allow objects or strings to be sent in updates for a more ergonomic interface. This is pretty weird behaviour, so the default sanitisation doesn't handle this. We instead handle this ourselves in the preparation. Props joehoyle, rachelbaker. Fixes #38529. git-svn-id: https://develop.svn.wordpress.org/trunk@39089 602fd350-edb4-49c9-b593-d223f7449a82
2026-06-28 14:20:15 +00:00 · 2016-11-02 06:01:49 +00:00
parent d4de97ad6f
commit df13f01ad0
2 changed files with 12 additions and 0 deletions
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
@@ -1132,6 +1132,9 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
 					'description'     => __( 'The content for the object.' ),
 					'type'            => 'object',
 					'context'         => array( 'view', 'edit', 'embed' ),
+					'arg_options'     => array(
+						'sanitize_callback' => null, // Note: sanitization implemented in self::prepare_item_for_database()
+					),
 					'properties'      => array(
 						'raw'         => array(
 							'description'     => __( 'Content for the object, as it exists in the database.' ),
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
@@ -1813,6 +1813,9 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 						'description' => __( 'The title for the object.' ),
 						'type'        => 'object',
 						'context'     => array( 'view', 'edit', 'embed' ),
+						'arg_options' => array(
+							'sanitize_callback' => null, // Note: sanitization implemented in self::prepare_item_for_database()
+						),
 						'properties'  => array(
 							'raw' => array(
 								'description' => __( 'Title for the object, as it exists in the database.' ),
@@ -1834,6 +1837,9 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 						'description' => __( 'The content for the object.' ),
 						'type'        => 'object',
 						'context'     => array( 'view', 'edit' ),
+						'arg_options' => array(
+							'sanitize_callback' => null, // Note: sanitization implemented in self::prepare_item_for_database()
+						),
 						'properties'  => array(
 							'raw' => array(
 								'description' => __( 'Content for the object, as it exists in the database.' ),
@@ -1869,6 +1875,9 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 						'description' => __( 'The excerpt for the object.' ),
 						'type'        => 'object',
 						'context'     => array( 'view', 'edit', 'embed' ),
+						'arg_options' => array(
+							'sanitize_callback' => null, // Note: sanitization implemented in self::prepare_item_for_database()
+						),
 						'properties'  => array(
 							'raw' => array(
 								'description' => __( 'Excerpt for the object, as it exists in the database.' ),