From df13f01ad0f13e0250efa0ca976c383227a8a57d Mon Sep 17 00:00:00 2001
From: Ryan McCue <rmccue@git.wordpress.org>
Date: Wed, 2 Nov 2016 06:01:49 +0000
Subject: [PATCH] REST API: Avoid default sanitization for polymorphic params.

Some parameters (`title`, `content`, etc) are objects in the output, but allow objects or strings to be sent in updates for a more ergonomic interface. This is pretty weird behaviour, so the default sanitisation doesn't handle this. We instead handle this ourselves in the preparation.

Props joehoyle, rachelbaker.
Fixes #38529.


git-svn-id: https://develop.svn.wordpress.org/trunk@39089 602fd350-edb4-49c9-b593-d223f7449a82
---
 .../endpoints/class-wp-rest-comments-controller.php      | 3 +++
 .../endpoints/class-wp-rest-posts-controller.php         | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
index a842fc2986..3454dc1906 100644
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
@@ -1132,6 +1132,9 @@ class WP_REST_Comments_Controller extends WP_REST_Controller {
 					'description'     => __( 'The content for the object.' ),
 					'type'            => 'object',
 					'context'         => array( 'view', 'edit', 'embed' ),
+					'arg_options'     => array(
+						'sanitize_callback' => null, // Note: sanitization implemented in self::prepare_item_for_database()
+					),
 					'properties'      => array(
 						'raw'         => array(
 							'description'     => __( 'Content for the object, as it exists in the database.' ),
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
index 7c801a4c44..4beda26210 100644
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
@@ -1813,6 +1813,9 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 						'description' => __( 'The title for the object.' ),
 						'type'        => 'object',
 						'context'     => array( 'view', 'edit', 'embed' ),
+						'arg_options' => array(
+							'sanitize_callback' => null, // Note: sanitization implemented in self::prepare_item_for_database()
+						),
 						'properties'  => array(
 							'raw' => array(
 								'description' => __( 'Title for the object, as it exists in the database.' ),
@@ -1834,6 +1837,9 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 						'description' => __( 'The content for the object.' ),
 						'type'        => 'object',
 						'context'     => array( 'view', 'edit' ),
+						'arg_options' => array(
+							'sanitize_callback' => null, // Note: sanitization implemented in self::prepare_item_for_database()
+						),
 						'properties'  => array(
 							'raw' => array(
 								'description' => __( 'Content for the object, as it exists in the database.' ),
@@ -1869,6 +1875,9 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 						'description' => __( 'The excerpt for the object.' ),
 						'type'        => 'object',
 						'context'     => array( 'view', 'edit', 'embed' ),
+						'arg_options' => array(
+							'sanitize_callback' => null, // Note: sanitization implemented in self::prepare_item_for_database()
+						),
 						'properties'  => array(
 							'raw' => array(
 								'description' => __( 'Excerpt for the object, as it exists in the database.' ),