REST API: Only validate the format keyword if the type is a string.

This allows for using multi-type support with a string that has a format. For backwards compatibility support, the format validation will still apply if the type is not specified, or it is invalid.

Two new doing it wrong notices are issued when omitting a type, or using an invalid type.

Props ryotsun.
Fixes #50189.


git-svn-id: https://develop.svn.wordpress.org/trunk@48300 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-includes/rest-api.php

@@ -1281,6 +1281,12 @@ function rest_get_avatar_sizes() {
  * @return true|WP_Error
  */
 function rest_validate_value_from_schema( $value, $args, $param = '' ) {
+	$allowed_types = array( 'array', 'object', 'string', 'number', 'integer', 'boolean', 'null' );
+
+	if ( ! isset( $args['type'] ) ) {
+		_doing_it_wrong( __FUNCTION__, __( 'The "type" schema keyword is required.' ), '5.5.0' );
+	}
+
 	if ( is_array( $args['type'] ) ) {
 		foreach ( $args['type'] as $type ) {
 			$type_args         = $args;
@@ -1295,6 +1301,15 @@ function rest_validate_value_from_schema( $value, $args, $param = '' ) {
 		return new WP_Error( 'rest_invalid_param', sprintf( __( '%1$s is not of type %2$s.' ), $param, implode( ',', $args['type'] ) ) );
 	}
 
+	if ( ! in_array( $args['type'], $allowed_types, true ) ) {
+		_doing_it_wrong(
+			__FUNCTION__,
+			/* translators: 1. The list of allowed types. */
+			wp_sprintf( __( 'The "type" schema keyword can only be on of the built-in types: %l.' ), $allowed_types ),
+			'5.5.0'
+		);
+	}
+
 	if ( 'array' === $args['type'] ) {
 		if ( ! is_null( $value ) ) {
 			$value = wp_parse_list( $value );
@@ -1449,7 +1464,9 @@ function rest_validate_value_from_schema( $value, $args, $param = '' ) {
 		}
 	}
 
-	if ( isset( $args['format'] ) ) {
+	// The "format" keyword should only be applied to strings. However, for backwards compatibility,
+	// we allow the "format" keyword if the type keyword was not specified, or was set to an invalid value.
+	if ( isset( $args['format'] ) && ( ! isset( $args['type'] ) || 'string' === $args['type'] || ! in_array( $args['type'], $allowed_types, true ) ) ) {
 		switch ( $args['format'] ) {
 			case 'hex-color':
 				if ( ! rest_parse_hex_color( $value ) ) {
@@ -1538,6 +1555,12 @@ function rest_validate_value_from_schema( $value, $args, $param = '' ) {
  * @return true|WP_Error
  */
 function rest_sanitize_value_from_schema( $value, $args ) {
+	$allowed_types = array( 'array', 'object', 'string', 'number', 'integer', 'boolean', 'null' );
+
+	if ( ! isset( $args['type'] ) ) {
+		_doing_it_wrong( __FUNCTION__, __( 'The "type" schema keyword is required.' ), '5.5.0' );
+	}
+
 	if ( is_array( $args['type'] ) ) {
 		// Determine which type the value was validated against,
 		// and use that type when performing sanitization.
@@ -1560,6 +1583,15 @@ function rest_sanitize_value_from_schema( $value, $args ) {
 		$args['type'] = $validated_type;
 	}
 
+	if ( ! in_array( $args['type'], $allowed_types, true ) ) {
+		_doing_it_wrong(
+			__FUNCTION__,
+			/* translators: 1. The list of allowed types. */
+			wp_sprintf( __( 'The "type" schema keyword can only be on of the built-in types: %l.' ), $allowed_types ),
+			'5.5.0'
+		);
+	}
+
 	if ( 'array' === $args['type'] ) {
 		if ( empty( $args['items'] ) ) {
 			return (array) $value;
@@ -1619,7 +1651,8 @@ function rest_sanitize_value_from_schema( $value, $args ) {
 		return rest_sanitize_boolean( $value );
 	}
 
-	if ( isset( $args['format'] ) ) {
+	// This behavior matches rest_validate_value_from_schema().
+	if ( isset( $args['format'] ) && ( ! isset( $args['type'] ) || 'string' === $args['type'] || ! in_array( $args['type'], $allowed_types, true ) ) ) {
 		switch ( $args['format'] ) {
 			case 'hex-color':
 				return (string) sanitize_hex_color( $value );

tests/phpunit/tests/rest-api/rest-schema-sanitization.php

@@ -312,6 +312,8 @@ class WP_Test_REST_Schema_Sanitization extends WP_UnitTestCase {
 	}
 
 	public function test_type_unknown() {
+		$this->setExpectedIncorrectUsage( 'rest_sanitize_value_from_schema' );
+
 		$schema = array(
 			'type' => 'lalala',
 		);
@@ -321,6 +323,8 @@ class WP_Test_REST_Schema_Sanitization extends WP_UnitTestCase {
 	}
 
 	public function test_no_type() {
+		$this->setExpectedIncorrectUsage( 'rest_sanitize_value_from_schema' );
+
 		$schema = array(
 			'type' => null,
 		);
@@ -340,6 +344,44 @@ class WP_Test_REST_Schema_Sanitization extends WP_UnitTestCase {
 		$this->assertNull( rest_sanitize_value_from_schema( 'lalala', $schema ) );
 	}
 
+	/**
+	 * @ticket 50189
+	 */
+	public function test_format_validation_is_skipped_if_non_string_type() {
+		$schema = array(
+			'type'   => 'array',
+			'format' => 'hex-color',
+		);
+		$this->assertEquals( array( '#fff' ), rest_sanitize_value_from_schema( '#fff', $schema ) );
+		$this->assertEquals( array( '#qrst' ), rest_sanitize_value_from_schema( '#qrst', $schema ) );
+	}
+
+	/**
+	 * @ticket 50189
+	 */
+	public function test_format_validation_is_applied_if_missing_type() {
+		$this->expectException( 'PHPUnit_Framework_Error_Notice' ); // For the undefined index.
+		$this->setExpectedIncorrectUsage( 'rest_sanitize_value_from_schema' );
+
+		$schema = array( 'format' => 'hex-color' );
+		$this->assertEquals( '#abc', rest_sanitize_value_from_schema( '#abc', $schema ) );
+		$this->assertEquals( '', rest_sanitize_value_from_schema( '#jkl', $schema ) );
+	}
+
+	/**
+	 * @ticket 50189
+	 */
+	public function test_format_validation_is_applied_if_unknown_type() {
+		$this->setExpectedIncorrectUsage( 'rest_sanitize_value_from_schema' );
+
+		$schema = array(
+			'format' => 'hex-color',
+			'type'   => 'str',
+		);
+		$this->assertEquals( '#abc', rest_sanitize_value_from_schema( '#abc', $schema ) );
+		$this->assertEquals( '', rest_sanitize_value_from_schema( '#jkl', $schema ) );
+	}
+
 	public function test_object_or_string() {
 		$schema = array(
 			'type'       => array( 'object', 'string' ),

tests/phpunit/tests/rest-api/rest-schema-validation.php

@@ -137,6 +137,47 @@ class WP_Test_REST_Schema_Validation extends WP_UnitTestCase {
 		$this->assertWPError( rest_validate_value_from_schema( 'FF01::101::2', $schema ) ); // Multicast, compressed.
 	}
 
+	/**
+	 * @ticket 50189
+	 */
+	public function test_format_validation_is_skipped_if_non_string_type() {
+		$schema = array(
+			'type'   => 'array',
+			'items'  => array(
+				'type' => 'string',
+			),
+			'format' => 'email',
+		);
+		$this->assertTrue( rest_validate_value_from_schema( 'email@example.com', $schema ) );
+		$this->assertTrue( rest_validate_value_from_schema( 'email', $schema ) );
+	}
+
+	/**
+	 * @ticket 50189
+	 */
+	public function test_format_validation_is_applied_if_missing_type() {
+		$this->expectException( 'PHPUnit_Framework_Error_Notice' ); // For the undefined index.
+		$this->setExpectedIncorrectUsage( 'rest_validate_value_from_schema' );
+
+		$schema = array( 'format' => 'email' );
+		$this->assertTrue( rest_validate_value_from_schema( 'email@example.com', $schema ) );
+		$this->assertWPError( rest_validate_value_from_schema( 'email', $schema ) );
+	}
+
+	/**
+	 * @ticket 50189
+	 */
+	public function test_format_validation_is_applied_if_unknown_type() {
+		$this->setExpectedIncorrectUsage( 'rest_validate_value_from_schema' );
+
+		$schema = array(
+			'format' => 'email',
+			'type'   => 'str',
+		);
+		$this->assertTrue( rest_validate_value_from_schema( 'email@example.com', $schema ) );
+		$this->assertWPError( rest_validate_value_from_schema( 'email', $schema ) );
+	}
+
 	public function test_type_array() {
 		$schema = array(
 			'type'  => 'array',
@@ -322,6 +363,8 @@ class WP_Test_REST_Schema_Validation extends WP_UnitTestCase {
 	}
 
 	public function test_type_unknown() {
+		$this->setExpectedIncorrectUsage( 'rest_validate_value_from_schema' );
+
 		$schema = array(
 			'type' => 'lalala',
 		);