empty( $allowed_attr ) ) { return $css; } $css = ''; foreach ( $css_array as $css_item ) { if ( '' === $css_item ) { continue; } $css_item = trim( $css_item ); $css_test_string = $css_item; $found = false; $url_attr = false; $gradient_attr = false; if ( strpos( $css_item, ':' ) === false ) { $found = true; } else { $parts = explode( ':', $css_item, 2 ); $css_selector = trim( $parts[0] ); if ( in_array( $css_selector, $allowed_attr, true ) ) { $found = true; $url_attr = in_array( $css_selector, $css_url_data_types, true ); $gradient_attr = in_array( $css_selector, $css_gradient_data_types, true ); } } if ( $found && $url_attr ) { // Simplified: matches the sequence `url(*)`. preg_match_all( '/url\([^)]+\)/', $parts[1], $url_matches ); foreach ( $url_matches[0] as $url_match ) { // Clean up the URL from each of the matches above. preg_match( '/^url\(\s*([\'\"]?)(.*)(\g1)\s*\)$/', $url_match, $url_pieces ); if ( empty( $url_pieces[2] ) ) { $found = false; break; } $url = trim( $url_pieces[2] ); if ( empty( $url ) || wp_kses_bad_protocol( $url, $allowed_protocols ) !== $url ) { $found = false; break; } else { // Remove the whole `url(*)` bit that was matched above from the CSS. $css_test_string = str_replace( $url_match, '', $css_test_string ); } } } if ( $found && $gradient_attr ) { $css_value = trim( $parts[1] ); if ( preg_match( '/^(repeating-)?(linear|radial|conic)-gradient\(([^()]|rgb[a]?\([^()]*\))*\)$/', $css_value ) ) { // Remove the whole `gradient` bit that was matched above from the CSS. $css_test_string = str_replace( $css_value, '', $css_test_string ); } } if ( $found ) { // Allow CSS calc(). $css_test_string = preg_replace( '/calc\(((?:\([^()]*\)?|[^()])*)\)/', '', $css_test_string ); // Allow CSS var(). $css_test_string = preg_replace( '/\(?var\(--[a-zA-Z0-9_-]*\)/', '', $css_test_string ); // Check for any CSS containing \ ( & } = or comments, // except for url(), calc(), or var() usage checked above. $allow_css = ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string ); /** * Filters the check for unsafe CSS in `safecss_filter_attr`. * * Enables developers to determine whether a section of CSS should be allowed or discarded. * By default, the value will be false if the part contains \ ( & } = or comments. * Return true to allow the CSS part to be included in the output. * * @since 5.5.0 * * @param bool $allow_css Whether the CSS in the test string is considered safe. * @param string $css_test_string The CSS string to test. */ $allow_css = apply_filters( 'safecss_filter_attr_allow_css', $allow_css, $css_test_string ); // Only add the CSS part if it passes the regex check. if ( $allow_css ) { if ( '' !== $css ) { $css .= ';'; } $css .= $css_item; } } } return $css; } /** * Helper function to add global attributes to a tag in the allowed HTML list. * * @since 3.5.0 * @since 5.0.0 Added support for `data-*` wildcard attributes. * @since 6.0.0 Added `dir`, `lang`, and `xml:lang` to global attributes. * * @access private * @ignore * * @param array $value An array of attributes. * @return array The array of attributes with global attributes added. */ function _wp_add_global_attributes( $value ) { $global_attributes = array( 'aria-describedby' => true, 'aria-details' => true, 'aria-label' => true, 'aria-labelledby' => true, 'aria-hidden' => true, 'class' => true, 'data-*' => true, 'dir' => true, 'id' => true, 'lang' => true, 'style' => true, 'title' => true, 'role' => true, 'xml:lang' => true, ); if ( true === $value ) { $value = array(); } if ( is_array( $value ) ) { return array_merge( $value, $global_attributes ); } return $value; } /** * Helper function to check if this is a safe PDF URL. * * @since 5.9.0 * @access private * @ignore * * @param string $url The URL to check. * @return bool True if the URL is safe, false otherwise. */ function _wp_kses_allow_pdf_objects( $url ) { // We're not interested in URLs that contain query strings or fragments. if ( str_contains( $url, '?' ) || str_contains( $url, '#' ) ) { return false; } // If it doesn't have a PDF extension, it's not safe. if ( ! str_ends_with( $url, '.pdf' ) ) { return false; } // If the URL host matches the current site's media URL, it's safe. $upload_info = wp_upload_dir( null, false ); $parsed_url = wp_parse_url( $upload_info['url'] ); $upload_host = isset( $parsed_url['host'] ) ? $parsed_url['host'] : ''; $upload_port = isset( $parsed_url['port'] ) ? ':' . $parsed_url['port'] : ''; if ( str_starts_with( $url, "http://$upload_host$upload_port/" ) || str_starts_with( $url, "https://$upload_host$upload_port/" ) ) { return true; } return false; } h Optional. Whether the process should stop after the first successful match. * @return array|WP_Error The matching schema or WP_Error instance if the number of matching schemas is not equal to one. */ function rest_find_one_matching_schema( $value, $args, $param, $stop_after_first_match = false ) { $matching_schemas = array(); $errors = array(); foreach ( $args['oneOf'] as $index => $schema ) { if ( ! isset( $schema['type'] ) && isset( $args['type'] ) ) { $schema['type'] = $args['type']; } $is_valid = rest_validate_value_from_schema( $value, $schema, $param ); if ( ! is_wp_error( $is_valid ) ) { if ( $stop_after_first_match ) { return $schema; } $matching_schemas[] = array( 'schema_object' => $schema, 'index' => $index, ); } else { $errors[] = array( 'error_object' => $is_valid, 'schema' => $schema, 'index' => $index, ); } } if ( ! $matching_schemas ) { return rest_get_combining_operation_error( $value, $param, $errors ); } if ( count( $matching_schemas ) > 1 ) { $schema_positions = array(); $schema_titles = array(); foreach ( $matching_schemas as $schema ) { $schema_positions[] = $schema['index']; if ( isset( $schema['schema_object']['title'] ) ) { $schema_titles[] = $schema['schema_object']['title']; } } // If each schema has a title, include those titles in the error message. if ( count( $schema_titles ) === count( $matching_schemas ) ) { return new WP_Error( 'rest_one_of_multiple_matches', /* translators: 1: Parameter, 2: Schema titles. */ wp_sprintf( __( '%1$s matches %2$l, but should match only one.' ), $param, $schema_titles ), array( 'positions' => $schema_positions ) ); } return new WP_Error( 'rest_one_of_multiple_matches', /* translators: %s: Parameter. */ sprintf( __( '%s matches more than one of the expected formats.' ), $param ), array( 'positions' => $schema_positions ) ); } return $matching_schemas[0]['schema_object']; } /** * Checks the equality of two values, following JSON Schema semantics. * * Property order is ignored for objects. * * Values must have been previously sanitized/coerced to their native types. * * @since 5.7.0 * * @param mixed $value1 The first value to check. * @param mixed $value2 The second value to check. * @return bool True if the values are equal or false otherwise. */ function rest_are_values_equal( $value1, $value2 ) { if ( is_array( $value1 ) && is_array( $value2 ) ) { if ( count( $value1 ) !== count( $value2 ) ) { return false; } foreach ( $value1 as $index => $value ) { if ( ! array_key_exists( $index, $value2 ) || ! rest_are_values_equal( $value, $value2[ $index ] ) ) { return false; } } return true; } if ( is_int( $value1 ) && is_float( $value2 ) || is_float( $value1 ) && is_int( $value2 ) ) { return (float) $value1 === (float) $value2; } return $value1 === $value2; } /** * Validates that the given value is a member of the JSON Schema "enum". * * @since 5.7.0 * * @param mixed $value The value to validate. * @param array $args The schema array to use. * @param string $param The parameter name, used in error messages. * @return true|WP_Error True if the "enum" contains the value or a WP_Error instance otherwise. */ function rest_validate_enum( $value, $args, $param ) { $sanitized_value = rest_sanitize_value_from_schema( $value, $args, $param ); if ( is_wp_error( $sanitized_value ) ) { return $sanitized_value; } foreach ( $args['enum'] as $enum_value ) { if ( rest_are_values_equal( $sanitized_value, $enum_value ) ) { return true; } } $encoded_enum_values = array(); foreach ( $args['enum'] as $enum_value ) { $encoded_enum_values[] = is_scalar( $enum_value ) ? $enum_value : wp_json_encode( $enum_value ); } if ( count( $encoded_enum_values ) === 1 ) { /* translators: 1: Parameter, 2: Valid values. */ return new WP_Error( 'rest_not_in_enum', wp_sprintf( __( '%1$s is not %2$s.' ), $param, $encoded_enum_values[0] ) ); } /* translators: 1: Parameter, 2: List of valid values. */ return new WP_Error( 'rest_not_in_enum', wp_sprintf( __( '%1$s is not one of %2$l.' ), $param, $encoded_enum_values ) ); } /** * Get all valid JSON schema properties. * * @since 5.6.0 * * @return string[] All valid JSON schema properties. */ function rest_get_allowed_schema_keywords() { return array( 'title', 'description', 'default', 'type', 'format', 'enum', 'items', 'properties', 'additionalProperties', 'patternProperties', 'minProperties', 'maxProperties', 'minimum', 'maximum', 'exclusiveMinimum', 'exclusiveMaximum', 'multipleOf', 'minLength', 'maxLength', 'pattern', 'minItems', 'maxItems', 'uniqueItems', 'anyOf', 'oneOf', ); } /** * Validate a value based on a schema. * * @since 4.7.0 * @since 4.9.0 Support the "object" type. * @since 5.2.0 Support validating "additionalProperties" against a schema. * @since 5.3.0 Support multiple types. * @since 5.4.0 Convert an empty string to an empty object. * @since 5.5.0 Add the "uuid" and "hex-color" formats. * Support the "minLength", "maxLength" and "pattern" keywords for strings. * Support the "minItems", "maxItems" and "uniqueItems" keywords for arrays. * Validate required properties. * @since 5.6.0 Support the "minProperties" and "maxProperties" keywords for objects. * Support the "multipleOf" keyword for numbers and integers. * Support the "patternProperties" keyword for objects. * Support the "anyOf" and "oneOf" keywords. * * @param mixed $value The value to validate. * @param array $args Schema array to use for validation. * @param string $param The parameter name, used in error messages. * @return true|WP_Error */ function rest_validate_value_from_schema( $value, $args, $param = '' ) { if ( isset( $args['anyOf'] ) ) { $matching_schema = rest_find_any_matching_schema( $value, $args, $param ); if ( is_wp_error( $matching_schema ) ) { return $matching_schema; } if ( ! isset( $args['type'] ) && isset( $matching_schema['type'] ) ) { $args['type'] = $matching_schema['type']; } } if ( isset( $args['oneOf'] ) ) { $matching_schema = rest_find_one_matching_schema( $value, $args, $param ); if ( is_wp_error( $matching_schema ) ) { return $matching_schema; } if ( ! isset( $args['type'] ) && isset( $matching_schema['type'] ) ) { $args['type'] = $matching_schema['type']; } } $allowed_types = array( 'array', 'object', 'string', 'number', 'integer', 'boolean', 'null' ); if ( ! isset( $args['type'] ) ) { /* translators: %s: Parameter. */ _doing_it_wrong( __FUNCTION__, sprintf( __( 'The "type" schema keyword for %s is required.' ), $param ), '5.5.0' ); } if ( is_array( $args['type'] ) ) { $best_type = rest_handle_multi_type_schema( $value, $args, $param ); if ( ! $best_type ) { return new WP_Error( 'rest_invalid_type', /* translators: 1: Parameter, 2: List of types. */ sprintf( __( '%1$s is not of type %2$s.' ), $param, implode( ',', $args['type'] ) ), array( 'param' => $param ) ); } $args['type'] = $best_type; } if ( ! in_array( $args['type'], $allowed_types, true ) ) { _doing_it_wrong( __FUNCTION__, /* translators: 1: Parameter, 2: The list of allowed types. */ wp_sprintf( __( 'The "type" schema keyword for %1$s can only be one of the built-in types: %2$l.' ), $param, $allowed_types ), '5.5.0' ); } switch ( $args['type'] ) { case 'null': $is_valid = rest_validate_null_value_from_schema( $value, $param ); break; case 'boolean': $is_valid = rest_validate_boolean_value_from_schema( $value, $param ); break; case 'object': $is_valid = rest_validate_object_value_from_schema( $value, $args, $param ); break; case 'array': $is_valid = rest_validate_array_value_from_schema( $value, $args, $param ); break; case 'number': $is_valid = rest_validate_number_value_from_schema( $value, $args, $param ); break; case 'string': $is_valid = rest_validate_string_value_from_schema( $value, $args, $param ); break; case 'integer': $is_valid = rest_validate_integer_value_from_schema( $value, $args, $param ); break; default: $is_valid = true; break; } if ( is_wp_error( $is_valid ) ) { return $is_valid; } if ( ! empty( $args['enum'] ) ) { $enum_contains_value = rest_validate_enum( $value, $args, $param ); if ( is_wp_error( $enum_contains_value ) ) { return $enum_contains_value; } } // The "format" keyword should only be applied to strings. However, for backward compatibility, // we allow the "format" keyword if the type keyword was not specified, or was set to an invalid value. if ( isset( $args['format'] ) && ( ! isset( $args['type'] ) || 'string' === $args['type'] || ! in_array( $args['type'], $allowed_types, true ) ) ) { switch ( $args['format'] ) { case 'hex-color': if ( ! rest_parse_hex_color( $value ) ) { return new WP_Error( 'rest_invalid_hex_color', __( 'Invalid hex color.' ) ); } break; case 'date-time': if ( ! rest_parse_date( $value ) ) { return new WP_Error( 'rest_invalid_date', __( 'Invalid date.' ) ); } break; case 'email': if ( ! is_email( $value ) ) { return new WP_Error( 'rest_invalid_email', __( 'Invalid email address.' ) ); } break; case 'ip': if ( ! rest_is_ip_address( $value ) ) { /* translators: %s: IP address. */ return new WP_Error( 'rest_invalid_ip', sprintf( __( '%s is not a valid IP address.' ), $param ) ); } break; case 'uuid': if ( ! wp_is_uuid( $value ) ) { /* translators: %s: The name of a JSON field expecting a valid UUID. */ return new WP_Error( 'rest_invalid_uuid', sprintf( __( '%s is not a valid UUID.' ), $param ) ); } break; } } return true; } /** * Validates a null value based on a schema. * * @since 5.7.0 * * @param mixed $value The value to validate. * @param string $param The parameter name, used in error messages. * @return true|WP_Error */ function rest_validate_null_value_from_schema( $value, $param ) { if ( null !== $value ) { return new WP_Error( 'rest_invalid_type', /* translators: 1: Parameter, 2: Type name. */ sprintf( __( '%1$s is not of type %2$s.' ), $param, 'null' ), array( 'param' => $param ) ); } return true; } /** * Validates a boolean value based on a schema. * * @since 5.7.0 * * @param mixed $value The value to validate. * @param string $param The parameter name, used in error messages. * @return true|WP_Error */ function rest_validate_boolean_value_from_schema( $value, $param ) { if ( ! rest_is_boolean( $value ) ) { return new WP_Error( 'rest_invalid_type', /* translators: 1: Parameter, 2: Type name. */ sprintf( __( '%1$s is not of type %2$s.' ), $param, 'boolean' ), array( 'param' => $param ) ); } return true; } /** * Validates an object value based on a schema. * * @since 5.7.0 * * @param mixed $value The value to validate. * @param array $args Schema array to use for validation. * @param string $param The parameter name, used in error messages. * @return true|WP_Error */ function rest_validate_object_value_from_schema( $value, $args, $param ) { if ( ! rest_is_object( $value ) ) { return new WP_Error( 'rest_invalid_type', /* translators: 1: Parameter, 2: Type name. */ sprintf( __( '%1$s is not of type %2$s.' ), $param, 'object' ), array( 'param' => $param ) ); } $value = rest_sanitize_object( $value ); if ( isset( $args['required'] ) && is_array( $args['required'] ) ) { // schema version 4 foreach ( $args['required'] as $name ) { if ( ! array_key_exists( $name, $value ) ) { return new WP_Error( 'rest_property_required', /* translators: 1: Property of an object, 2: Parameter. */ sprintf( __( '%1$s is a required property of %2$s.' ), $name, $param ) ); } } } elseif ( isset( $args['properties'] ) ) { // schema version 3 foreach ( $args['properties'] as $name => $property ) { if ( isset( $property['required'] ) && true === $property['required'] && ! array_key_exists( $name, $value ) ) { return new WP_Error( 'rest_property_required', /* translators: 1: Property of an object, 2: Parameter. */ sprintf( __( '%1$s is a required property of %2$s.' ), $name, $param ) ); } } } foreach ( $value as $property => $v ) { if ( isset( $args['properties'][ $property ] ) ) { $is_valid = rest_validate_value_from_schema( $v, $args['properties'][ $property ], $param . '[' . $property . ']' ); if ( is_wp_error( $is_valid ) ) { return $is_valid; } continue; } $pattern_property_schema = rest_find_matching_pattern_property_schema( $property, $args ); if ( null !== $pattern_property_schema ) { $is_valid = rest_validate_value_from_schema( $v, $pattern_property_schema, $param . '[' . $property . ']' ); if ( is_wp_error( $is_valid ) ) { return $is_valid; } continue; } if ( isset( $args['additionalProperties'] ) ) { if ( false === $args['additionalProperties'] ) { return new WP_Error( 'rest_additional_properties_forbidden', /* translators: %s: Property of an object. */ sprintf( __( '%1$s is not a valid property of Object.' ), $property ) ); } if ( is_array( $args['additionalProperties'] ) ) { $is_valid = rest_validate_value_from_schema( $v, $args['additionalProperties'], $param . '[' . $property . ']' ); if ( is_wp_error( $is_valid ) ) { return $is_valid; } } } } if ( isset( $args['minProperties'] ) && count( $value ) < $args['minProperties'] ) { return new WP_Error( 'rest_too_few_properties', sprintf( /* translators: 1: Parameter, 2: Number. */ _n( '%1$s must contain at least %2$s property.', '%1$s must contain at least %2$s properties.', $args['minProperties'] ), $param, number_format_i18n( $args['minProperties'] ) ) ); } if ( isset( $args['maxProperties'] ) && count( $value ) > $args['maxProperties'] ) { return new WP_Error( 'rest_too_many_properties', sprintf( /* translators: 1: Parameter, 2: Number. */ _n( '%1$s must contain at most %2$s property.', '%1$s must contain at most %2$s properties.', $args['maxProperties'] ), $param, number_format_i18n( $args['maxProperties'] ) ) ); } return true; } /** * Validates an array value based on a schema. * * @since 5.7.0 * * @param mixed $value The value to validate. * @param array $args Schema array to use for validation. * @param string $param The parameter name, used in error messages. * @return true|WP_Error */ function rest_validate_array_value_from_schema( $value, $args, $param ) { if ( ! rest_is_array( $value ) ) { return new WP_Error( 'rest_invalid_type', /* translators: 1: Parameter, 2: Type name. */ sprintf( __( '%1$s is not of type %2$s.' ), $param, 'array' ), array( 'param' => $param ) ); } $value = rest_sanitize_array( $value ); if ( isset( $args['items'] ) ) { foreach ( $value as $index => $v ) { $is_valid = rest_validate_value_from_schema( $v, $args['items'], $param . '[' . $index . ']' ); if ( is_wp_error( $is_valid ) ) { return $is_valid; } } } if ( isset( $args['minItems'] ) && count( $value ) < $args['minItems'] ) { return new WP_Error( 'rest_too_few_items', sprintf( /* translators: 1: Parameter, 2: Number. */ _n( '%1$s must contain at least %2$s item.', '%1$s must contain at least %2$s items.', $args['minItems'] ), $param, number_format_i18n( $args['minItems'] ) ) ); } if ( isset( $args['maxItems'] ) && count( $value ) > $args['maxItems'] ) { return new WP_Error( 'rest_too_many_items', sprintf( /* translators: 1: Parameter, 2: Number. */ _n( '%1$s must contain at most %2$s item.', '%1$s must contain at most %2$s items.', $args['maxItems'] ), $param, number_format_i18n( $args['maxItems'] ) ) ); } if ( ! empty( $args['uniqueItems'] ) && ! rest_validate_array_contains_unique_items( $value ) ) { /* translators: %s: Parameter. */ return new WP_Error( 'rest_duplicate_items', sprintf( __( '%s has duplicate items.' ), $param ) ); } return true; } /** * Validates a number value based on a schema. * * @since 5.7.0 * * @param mixed $value The value to validate. * @param array $args Schema array to use for validation. * @param string $param The parameter name, used in error messages. * @return true|WP_Error */ function rest_validate_number_value_from_schema( $value, $args, $param ) { if ( ! is_numeric( $value ) ) { return new WP_Error( 'rest_invalid_type', /* translators: 1: Parameter, 2: Type name. */ sprintf( __( '%1$s is not of type %2$s.' ), $param, $args['type'] ), array( 'param' => $param ) ); } if ( isset( $args['multipleOf'] ) && fmod( $value, $args['multipleOf'] ) !== 0.0 ) { return new WP_Error( 'rest_invalid_multiple', /* translators: 1: Parameter, 2: Multiplier. */ sprintf( __( '%1$s must be a multiple of %2$s.' ), $param, $args['multipleOf'] ) ); } if ( isset( $args['minimum'] ) && ! isset( $args['maximum'] ) ) { if ( ! empty( $args['exclusiveMinimum'] ) && $value <= $args['minimum'] ) { return new WP_Error( 'rest_out_of_bounds', /* translators: 1: Parameter, 2: Minimum number. */ sprintf( __( '%1$s must be greater than %2$d' ), $param, $args['minimum'] ) ); } if ( empty( $args['exclusiveMinimum'] ) && $value < $args['minimum'] ) { return new WP_Error( 'rest_out_of_bounds', /* translators: 1: Parameter, 2: Minimum number. */ sprintf( __( '%1$s must be greater than or equal to %2$d' ), $param, $args['minimum'] ) ); } } if ( isset( $args['maximum'] ) && ! isset( $args['minimum'] ) ) { if ( ! empty( $args['exclusiveMaximum'] ) && $value >= $args['maximum'] ) { return new WP_Error( 'rest_out_of_bounds', /* translators: 1: Parameter, 2: Maximum number. */ sprintf( __( '%1$s must be less than %2$d' ), $param, $args['maximum'] ) ); } if ( empty( $args['exclusiveMaximum'] ) && $value > $args['maximum'] ) { return new WP_Error( 'rest_out_of_bounds', /* translators: 1: Parameter, 2: Maximum number. */ sprintf( __( '%1$s must be less than or equal to %2$d' ), $param, $args['maximum'] ) ); } } if ( isset( $args['minimum'], $args['maximum'] ) ) { if ( ! empty( $args['exclusiveMinimum'] ) && ! empty( $args['exclusiveMaximum'] ) ) { if ( $value >= $args['maximum'] || $value <= $args['minimum'] ) { return new WP_Error( 'rest_out_of_bounds', sprintf( /* translators: 1: Parameter, 2: Minimum number, 3: Maximum number. */ __( '%1$s must be between %2$d (exclusive) and %3$d (exclusive)' ), $param, $args['minimum'], $args['maximum'] ) ); } } if ( ! empty( $args['exclusiveMinimum'] ) && empty( $args['exclusiveMaximum'] ) ) { if ( $value > $args['maximum'] || $value <= $args['minimum'] ) { return new WP_Error( 'rest_out_of_bounds', sprintf( /* translators: 1: Parameter, 2: Minimum number, 3: Maximum number. */ __( '%1$s must be between %2$d (exclusive) and %3$d (inclusive)' ), $param, $args['minimum'], $args['maximum'] ) ); } } if ( ! empty( $args['exclusiveMaximum'] ) && empty( $args['exclusiveMinimum'] ) ) { if ( $value >= $args['maximum'] || $value < $args['minimum'] ) { return new WP_Error( 'rest_out_of_bounds', sprintf( /* translators: 1: Parameter, 2: Minimum number, 3: Maximum number. */ __( '%1$s must be between %2$d (inclusive) and %3$d (exclusive)' ), $param, $args['minimum'], $args['maximum'] ) ); } } if ( empty( $args['exclusiveMinimum'] ) && empty( $args['exclusiveMaximum'] ) ) { if ( $value > $args['maximum'] || $value < $args['minimum'] ) { return new WP_Error( 'rest_out_of_bounds', sprintf( /* translators: 1: Parameter, 2: Minimum number, 3: Maximum number. */ __( '%1$s must be between %2$d (inclusive) and %3$d (inclusive)' ), $param, $args['minimum'], $args['maximum'] ) ); } } } return true; } /** * Validates a string value based on a schema. * * @since 5.7.0 * * @param mixed $value The value to validate. * @param array $args Schema array to use for validation. * @param string $param The parameter name, used in error messages. * @return true|WP_Error */ function rest_validate_string_value_from_schema( $value, $args, $param ) { if ( ! is_string( $value ) ) { return new WP_Error( 'rest_invalid_type', /* translators: 1: Parameter, 2: Type name. */ sprintf( __( '%1$s is not of type %2$s.' ), $param, 'string' ), array( 'param' => $param ) ); } if ( isset( $args['minLength'] ) && mb_strlen( $value ) < $args['minLength'] ) { return new WP_Error( 'rest_too_short', sprintf( /* translators: 1: Parameter, 2: Number of characters. */ _n( '%1$s must be at least %2$s character long.', '%1$s must be at least %2$s characters long.', $args['minLength'] ), $param, number_format_i18n( $args['minLength'] ) ) ); } if ( isset( $args['maxLength'] ) && mb_strlen( $value ) > $args['maxLength'] ) { return new WP_Error( 'rest_too_long', sprintf( /* translators: 1: Parameter, 2: Number of characters. */ _n( '%1$s must be at most %2$s character long.', '%1$s must be at most %2$s characters long.', $args['maxLength'] ), $param, number_format_i18n( $args['maxLength'] ) ) ); } if ( isset( $args['pattern'] ) && ! rest_validate_json_schema_pattern( $args['pattern'], $value ) ) { return new WP_Error( 'rest_invalid_pattern', /* translators: 1: Parameter, 2: Pattern. */ sprintf( __( '%1$s does not match pattern %2$s.' ), $param, $args['pattern'] ) ); } return true; } /** * Validates an integer value based on a schema. * * @since 5.7.0 * * @param mixed $value The value to validate. * @param array $args Schema array to use for validation. * @param string $param The parameter name, used in error messages. * @return true|WP_Error */ function rest_validate_integer_value_from_schema( $value, $args, $param ) { $is_valid_number = rest_validate_number_value_from_schema( $value, $args, $param ); if ( is_wp_error( $is_valid_number ) ) { return $is_valid_number; } if ( ! rest_is_integer( $value ) ) { return new WP_Error( 'rest_invalid_type', /* translators: 1: Parameter, 2: Type name. */ sprintf( __( '%1$s is not of type %2$s.' ), $param, 'integer' ), array( 'param' => $param ) ); } return true; } /** * Sanitize a value based on a schema. * * @since 4.7.0 * @since 5.5.0 Added the `$param` parameter. * @since 5.6.0 Support the "anyOf" and "oneOf" keywords. * @since 5.9.0 Added `text-field` and `textarea-field` formats. * * @param mixed $value The value to sanitize. * @param array $args Schema array to use for sanitization. * @param string $param The parameter name, used in error messages. * @return mixed|WP_Error The sanitized value or a WP_Error instance if the value cannot be safely sanitized. */ function rest_sanitize_value_from_schema( $value, $args, $param = '' ) { if ( isset( $args['anyOf'] ) ) { $matching_schema = rest_find_any_matching_schema( $value, $args, $param ); if ( is_wp_error( $matching_schema ) ) { return $matching_schema; } if ( ! isset( $args['type'] ) ) { $args['type'] = $matching_schema['type']; } $value = rest_sanitize_value_from_schema( $value, $matching_schema, $param ); } if ( isset( $args['oneOf'] ) ) { $matching_schema = rest_find_one_matching_schema( $value, $args, $param ); if ( is_wp_error( $matching_schema ) ) { return $matching_schema; } if ( ! isset( $args['type'] ) ) { $args['type'] = $matching_schema['type']; } $value = rest_sanitize_value_from_schema( $value, $matching_schema, $param ); } $allowed_types = array( 'array', 'object', 'string', 'number', 'integer', 'boolean', 'null' ); if ( ! isset( $args['type'] ) ) { /* translators: %s: Parameter. */ _doing_it_wrong( __FUNCTION__, sprintf( __( 'The "type" schema keyword for %s is required.' ), $param ), '5.5.0' ); } if ( is_array( $args['type'] ) ) { $best_type = rest_handle_multi_type_schema( $value, $args, $param ); if ( ! $best_type ) { return null; } $args['type'] = $best_type; } if ( ! in_array( $args['type'], $allowed_types, true ) ) { _doing_it_wrong( __FUNCTION__, /* translators: 1: Parameter, 2: The list of allowed types. */ wp_sprintf( __( 'The "type" schema keyword for %1$s can only be one of the built-in types: %2$l.' ), $param, $allowed_types ), '5.5.0' ); } if ( 'array' === $args['type'] ) { $value = rest_sanitize_array( $value ); if ( ! empty( $args['items'] ) ) { foreach ( $value as $index => $v ) { $value[ $index ] = rest_sanitize_value_from_schema( $v, $args['items'], $param . '[' . $index . ']' ); } } if ( ! empty( $args['uniqueItems'] ) && ! rest_validate_array_contains_unique_items( $value ) ) { /* translators: %s: Parameter. */ return new WP_Error( 'rest_duplicate_items', sprintf( __( '%s has duplicate items.' ), $param ) ); } return $value; } if ( 'object' === $args['type'] ) { $value = rest_sanitize_object( $value ); foreach ( $value as $property => $v ) { if ( isset( $args['properties'][ $property ] ) ) { $value[ $property ] = rest_sanitize_value_from_schema( $v, $args['properties'][ $property ], $param . '[' . $property . ']' ); continue; } $pattern_property_schema = rest_find_matching_pattern_property_schema( $property, $args ); if ( null !== $pattern_property_schema ) { $value[ $property ] = rest_sanitize_value_from_schema( $v, $pattern_property_schema, $param . '[' . $property . ']' ); continue; } if ( isset( $args['additionalProperties'] ) ) { if ( false === $args['additionalProperties'] ) { unset( $value[ $property ] ); } elseif ( is_array( $args['additionalProperties'] ) ) { $value[ $property ] = rest_sanitize_value_from_schema( $v, $args['additionalProperties'], $param . '[' . $property . ']' ); } } } return $value; } if ( 'null' === $args['type'] ) { return null; } if ( 'integer' === $args['type'] ) { return (int) $value; } if ( 'number' === $args['type'] ) { return (float) $value; } if ( 'boolean' === $args['type'] ) { return rest_sanitize_boolean( $value ); } // This behavior matches rest_validate_value_from_schema(). if ( isset( $args['format'] ) && ( ! isset( $args['type'] ) || 'string' === $args['type'] || ! in_array( $args['type'], $allowed_types, true ) ) ) { switch ( $args['format'] ) { case 'hex-color': return (string) sanitize_hex_color( $value ); case 'date-time': return sanitize_text_field( $value ); case 'email': // sanitize_email() validates, which would be unexpected. return sanitize_text_field( $value ); case 'uri': return esc_url_raw( $value ); case 'ip': return sanitize_text_field( $value ); case 'uuid': return sanitize_text_field( $value ); case 'text-field': return sanitize_text_field( $value ); case 'textarea-field': return sanitize_textarea_field( $value ); } } if ( 'string' === $args['type'] ) { return (string) $value; } return $value; } /** * Append result of internal request to REST API for purpose of preloading data to be attached to a page. * Expected to be called in the context of `array_reduce`. * * @since 5.0.0 * * @param array $memo Reduce accumulator. * @param string $path REST API path to preload. * @return array Modified reduce accumulator. */ function rest_preload_api_request( $memo, $path ) { // array_reduce() doesn't support passing an array in PHP 5.2, // so we need to make sure we start with one. if ( ! is_array( $memo ) ) { $memo = array(); } if ( empty( $path ) ) { return $memo; } $method = 'GET'; if ( is_array( $path ) && 2 === count( $path ) ) { $method = end( $path ); $path = reset( $path ); if ( ! in_array( $method, array( 'GET', 'OPTIONS' ), true ) ) { $method = 'GET'; } } $path = untrailingslashit( $path ); if ( empty( $path ) ) { $path = '/'; } $path_parts = parse_url( $path ); if ( false === $path_parts ) { return $memo; } $request = new WP_REST_Request( $method, $path_parts['path'] ); if ( ! empty( $path_parts['query'] ) ) { parse_str( $path_parts['query'], $query_params ); $request->set_query_params( $query_params ); } $response = rest_do_request( $request ); if ( 200 === $response->status ) { $server = rest_get_server(); /** This filter is documented in wp-includes/rest-api/class-wp-rest-server.php */ $response = apply_filters( 'rest_post_dispatch', rest_ensure_response( $response ), $server, $request ); $embed = $request->has_param( '_embed' ) ? rest_parse_embed_param( $request['_embed'] ) : false; $data = (array) $server->response_to_data( $response, $embed ); if ( 'OPTIONS' === $method ) { $memo[ $method ][ $path ] = array( 'body' => $data, 'headers' => $response->headers, ); } else { $memo[ $path ] = array( 'body' => $data, 'headers' => $response->headers, ); } } return $memo; } /** * Parses the "_embed" parameter into the list of resources to embed. * * @since 5.4.0 * * @param string|array $embed Raw "_embed" parameter value. * @return true|string[] Either true to embed all embeds, or a list of relations to embed. */ function rest_parse_embed_param( $embed ) { if ( ! $embed || 'true' === $embed || '1' === $embed ) { return true; } $rels = wp_parse_list( $embed ); if ( ! $rels ) { return true; } return $rels; } /** * Filters the response to remove any fields not available in the given context. * * @since 5.5.0 * @since 5.6.0 Support the "patternProperties" keyword for objects. * Support the "anyOf" and "oneOf" keywords. * * @param array|object $data The response data to modify. * @param array $schema The schema for the endpoint used to filter the response. * @param string $context The requested context. * @return array|object The filtered response data. */ function rest_filter_response_by_context( $data, $schema, $context ) { if ( isset( $schema['anyOf'] ) ) { $matching_schema = rest_find_any_matching_schema( $data, $schema, '' ); if ( ! is_wp_error( $matching_schema ) ) { if ( ! isset( $schema['type'] ) ) { $schema['type'] = $matching_schema['type']; } $data = rest_filter_response_by_context( $data, $matching_schema, $context ); } } if ( isset( $schema['oneOf'] ) ) { $matching_schema = rest_find_one_matching_schema( $data, $schema, '', true ); if ( ! is_wp_error( $matching_schema ) ) { if ( ! isset( $schema['type'] ) ) { $schema['type'] = $matching_schema['type']; } $data = rest_filter_response_by_context( $data, $matching_schema, $context ); } } if ( ! is_array( $data ) && ! is_object( $data ) ) { return $data; } if ( isset( $schema['type'] ) ) { $type = $schema['type']; } elseif ( isset( $schema['properties'] ) ) { $type = 'object'; // Back compat if a developer accidentally omitted the type. } else { return $data; } $is_array_type = 'array' === $type || ( is_array( $type ) && in_array( 'array', $type, true ) ); $is_object_type = 'object' === $type || ( is_array( $type ) && in_array( 'object', $type, true ) ); if ( $is_array_type && $is_object_type ) { if ( rest_is_array( $data ) ) { $is_object_type = false; } else { $is_array_type = false; } } $has_additional_properties = $is_object_type && isset( $schema['additionalProperties'] ) && is_array( $schema['additionalProperties'] ); foreach ( $data as $key => $value ) { $check = array(); if ( $is_array_type ) { $check = isset( $schema['items'] ) ? $schema['items'] : array(); } elseif ( $is_object_type ) { if ( isset( $schema['properties'][ $key ] ) ) { $check = $schema['properties'][ $key ]; } else { $pattern_property_schema = rest_find_matching_pattern_property_schema( $key, $schema ); if ( null !== $pattern_property_schema ) { $check = $pattern_property_schema; } elseif ( $has_additional_properties ) { $check = $schema['additionalProperties']; } } } if ( ! isset( $check['context'] ) ) { continue; } if ( ! in_array( $context, $check['context'], true ) ) { if ( $is_array_type ) { // All array items share schema, so there's no need to check each one. $data = array(); break; } if ( is_object( $data ) ) { unset( $data->$key ); } else { unset( $data[ $key ] ); } } elseif ( is_array( $value ) || is_object( $value ) ) { $new_value = rest_filter_response_by_context( $value, $check, $context ); if ( is_object( $data ) ) { $data->$key = $new_value; } else { $data[ $key ] = $new_value; } } } return $data; } /** * Sets the "additionalProperties" to false by default for all object definitions in the schema. * * @since 5.5.0 * @since 5.6.0 Support the "patternProperties" keyword. * * @param array $schema The schema to modify. * @return array The modified schema. */ function rest_default_additional_properties_to_false( $schema ) { $type = (array) $schema['type']; if ( in_array( 'object', $type, true ) ) { if ( isset( $schema['properties'] ) ) { foreach ( $schema['properties'] as $key => $child_schema ) { $schema['properties'][ $key ] = rest_default_additional_properties_to_false( $child_schema ); } } if ( isset( $schema['patternProperties'] ) ) { foreach ( $schema['patternProperties'] as $key => $child_schema ) { $schema['patternProperties'][ $key ] = rest_default_additional_properties_to_false( $child_schema ); } } if ( ! isset( $schema['additionalProperties'] ) ) { $schema['additionalProperties'] = false; } } if ( in_array( 'array', $type, true ) ) { if ( isset( $schema['items'] ) ) { $schema['items'] = rest_default_additional_properties_to_false( $schema['items'] ); } } return $schema; } /** * Gets the REST API route for a post. * * @since 5.5.0 * * @param int|WP_Post $post Post ID or post object. * @return string The route path with a leading slash for the given post, * or an empty string if there is not a route. */ function rest_get_route_for_post( $post ) { $post = get_post( $post ); if ( ! $post instanceof WP_Post ) { return ''; } $post_type_route = rest_get_route_for_post_type_items( $post->post_type ); if ( ! $post_type_route ) { return ''; } $route = sprintf( '%s/%d', $post_type_route, $post->ID ); /** * Filters the REST API route for a post. * * @since 5.5.0 * * @param string $route The route path. * @param WP_Post $post The post object. */ return apply_filters( 'rest_route_for_post', $route, $post ); } /** * Gets the REST API route for a post type. * * @since 5.9.0 * * @param string $post_type The name of a registered post type. * @return string The route path with a leading slash for the given post type, * or an empty string if there is not a route. */ function rest_get_route_for_post_type_items( $post_type ) { $post_type = get_post_type_object( $post_type ); if ( ! $post_type ) { return ''; } if ( ! $post_type->show_in_rest ) { return ''; } $namespace = ! empty( $post_type->rest_namespace ) ? $post_type->rest_namespace : 'wp/v2'; $rest_base = ! empty( $post_type->rest_base ) ? $post_type->rest_base : $post_type->name; $route = sprintf( '/%s/%s', $namespace, $rest_base ); /** * Filters the REST API route for a post type. * * @since 5.9.0 * * @param string $route The route path. * @param WP_Post_Type $post_type The post type object. */ return apply_filters( 'rest_route_for_post_type_items', $route, $post_type ); } /** * Gets the REST API route for a term. * * @since 5.5.0 * * @param int|WP_Term $term Term ID or term object. * @return string The route path with a leading slash for the given term, * or an empty string if there is not a route. */ function rest_get_route_for_term( $term ) { $term = get_term( $term ); if ( ! $term instanceof WP_Term ) { return ''; } $taxonomy_route = rest_get_route_for_taxonomy_items( $term->taxonomy ); if ( ! $taxonomy_route ) { return ''; } $route = sprintf( '%s/%d', $taxonomy_route, $term->term_id ); /** * Filters the REST API route for a term. * * @since 5.5.0 * * @param string $route The route path. * @param WP_Term $term The term object. */ return apply_filters( 'rest_route_for_term', $route, $term ); } /** * Gets the REST API route for a taxonomy. * * @since 5.9.0 * * @param string $taxonomy Name of taxonomy. * @return string The route path with a leading slash for the given taxonomy. */ function rest_get_route_for_taxonomy_items( $taxonomy ) { $taxonomy = get_taxonomy( $taxonomy ); if ( ! $taxonomy ) { return ''; } if ( ! $taxonomy->show_in_rest ) { return ''; } $namespace = ! empty( $taxonomy->rest_namespace ) ? $taxonomy->rest_namespace : 'wp/v2'; $rest_base = ! empty( $taxonomy->rest_base ) ? $taxonomy->rest_base : $taxonomy->name; $route = sprintf( '/%s/%s', $namespace, $rest_base ); /** * Filters the REST API route for a taxonomy. * * @since 5.9.0 * * @param string $route The route path. * @param WP_Taxonomy $taxonomy The taxonomy object. */ return apply_filters( 'rest_route_for_taxonomy_items', $route, $taxonomy ); } /** * Gets the REST route for the currently queried object. * * @since 5.5.0 * * @return string The REST route of the resource, or an empty string if no resource identified. */ function rest_get_queried_resource_route() { if ( is_singular() ) { $route = rest_get_route_for_post( get_queried_object() ); } elseif ( is_category() || is_tag() || is_tax() ) { $route = rest_get_route_for_term( get_queried_object() ); } elseif ( is_author() ) { $route = '/wp/v2/users/' . get_queried_object_id(); } else { $route = ''; } /** * Filters the REST route for the currently queried object. * * @since 5.5.0 * * @param string $link The route with a leading slash, or an empty string. */ return apply_filters( 'rest_queried_resource_route', $route ); } /** * Retrieves an array of endpoint arguments from the item schema and endpoint method. * * @since 5.6.0 * * @param array $schema The full JSON schema for the endpoint. * @param string $method Optional. HTTP method of the endpoint. The arguments for `CREATABLE` endpoints are * checked for required values and may fall-back to a given default, this is not done * on `EDITABLE` endpoints. Default WP_REST_Server::CREATABLE. * @return array The endpoint arguments. */ function rest_get_endpoint_args_for_schema( $schema, $method = WP_REST_Server::CREATABLE ) { $schema_properties = ! empty( $schema['properties'] ) ? $schema['properties'] : array(); $endpoint_args = array(); $valid_schema_properties = rest_get_allowed_schema_keywords(); $valid_schema_properties = array_diff( $valid_schema_properties, array( 'default', 'required' ) ); foreach ( $schema_properties as $field_id => $params ) { // Arguments specified as `readonly` are not allowed to be set. if ( ! empty( $params['readonly'] ) ) { continue; } $endpoint_args[ $field_id ] = array( 'validate_callback' => 'rest_validate_request_arg', 'sanitize_callback' => 'rest_sanitize_request_arg', ); if ( WP_REST_Server::CREATABLE === $method && isset( $params['default'] ) ) { $endpoint_args[ $field_id ]['default'] = $params['default']; } if ( WP_REST_Server::CREATABLE === $method && ! empty( $params['required'] ) ) { $endpoint_args[ $field_id ]['required'] = true; } foreach ( $valid_schema_properties as $schema_prop ) { if ( isset( $params[ $schema_prop ] ) ) { $endpoint_args[ $field_id ][ $schema_prop ] = $params[ $schema_prop ]; } } // Merge in any options provided by the schema property. if ( isset( $params['arg_options'] ) ) { // Only use required / default from arg_options on CREATABLE endpoints. if ( WP_REST_Server::CREATABLE !== $method ) { $params['arg_options'] = array_diff_key( $params['arg_options'], array( 'required' => '', 'default' => '', ) ); } $endpoint_args[ $field_id ] = array_merge( $endpoint_args[ $field_id ], $params['arg_options'] ); } } return $endpoint_args; } /** * Converts an error to a response object. * * This iterates over all error codes and messages to change it into a flat * array. This enables simpler client behaviour, as it is represented as a * list in JSON rather than an object/map. * * @since 5.7.0 * * @param WP_Error $error WP_Error instance. * * @return WP_REST_Response List of associative arrays with code and message keys. */ function rest_convert_error_to_response( $error ) { $status = array_reduce( $error->get_all_error_data(), static function ( $status, $error_data ) { return is_array( $error_data ) && isset( $error_data['status'] ) ? $error_data['status'] : $status; }, 500 ); $errors = array(); foreach ( (array) $error->errors as $code => $messages ) { $all_data = $error->get_all_error_data( $code ); $last_data = array_pop( $all_data ); foreach ( (array) $messages as $message ) { $formatted = array( 'code' => $code, 'message' => $message, 'data' => $last_data, ); if ( $all_data ) { $formatted['additional_data'] = $all_data; } $errors[] = $formatted; } } $data = $errors[0]; if ( count( $errors ) > 1 ) { // Remove the primary error. array_shift( $errors ); $data['additional_errors'] = $errors; } return new WP_REST_Response( $data, $status ); }