Skip to content

REST API: Implement strict validation for the settings controller. Fi… #10662

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dev-alamin wants to merge 1 commit into
base: trunk
Choose a base branch
from
Open

REST API: Implement strict validation for the settings controller. Fi… #10662

dev-alamin wants to merge 1 commit into from
+96 −3

Conversation

@dev-alamin
Copy link

@dev-alamin dev-alamin commented Dec 24, 2025

Description

This PR addresses the issue where the /wp/v2/settings endpoint returns a 200 OK even when sent unknown properties or an empty request body.

Changes:

Updated WP_REST_Settings_Controller::update_item to validate request parameters against registered settings.

Introduced a whitelist for "Infrastructure/Global" parameters (e.g., _locale, _wpnonce, _fields, _embed) to ensure backward compatibility and prevent breaking internal WordPress tools.

Returns a rest_invalid_param (400) if unknown parameters are passed in the JSON body or URL query string.

Returns a rest_empty_request (400) if the request does not contain any valid settings to update.

Why this approach works: Previous attempts were reverted because they broke requests using query parameters or global flags. By using an array_diff against a whitelist of registered options AND internal parameters, this patch provides strict validation without breaking existing ecosystem tools like Gutenberg or third-party clients.

Testing performed:

Added unit tests for empty bodies.
Added unit tests for unknown properties in JSON bodies and URL query strings.
Verified that global parameters (like _locale) still allow the request to succeed.

Trac ticket: https://core.trac.wordpress.org/ticket/41604

@github-actions
Copy link

github-actions bot commented Dec 24, 2025

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props coderalamin.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@github-actions
Copy link

github-actions bot commented Dec 24, 2025

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • The Plugin and Theme Directories cannot be accessed within Playground.
  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dev-alamin