[wp-trac] [WordPress Trac] #62163: WP_REST_Request::get_params() includes unregistered args including rest_route when not using pretty permalinks
WordPress Trac
noreply at wordpress.org
Thu Oct 3 16:19:54 UTC 2024
#62163: WP_REST_Request::get_params() includes unregistered args including
rest_route when not using pretty permalinks
--------------------------+-----------------------------
Reporter: westonruter | Owner: (none)
Type: defect (bug) | Status: new
Priority: low | Milestone: Awaiting Review
Component: REST API | Version: 4.4
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
I discovered that calling `WP_REST_Request::get_params()` includes all of
the GET, POST, URL, etc parameters even when they have not been registered
as args via `register_rest_route()`. Perhaps this is intentional. But what
certainly isn't intentional is that when pretty permalinks aren't enabled
(i.e. when plain permalinks are enabled), REST API calls are made using a
URL like:
{{{
/index.php?rest_route=/wp/v2/posts
}}}
And the presence of the `rest_route` query parameter in the URL is
resulting in a `rest_route` key being returned by
`WP_REST_Request::get_params()`.
My expectation was that `WP_REST_Request::get_params()` would only return
validated and sanitized parameters which I had registered when creating
the endpoint. Perhaps this would be too restrictive and would be too much
of a backwards-compatibility break as some plugin code may be taking
advantage of accessing parameters that aren't explicitly registered.
In any case, when pretty permalinks aren't enabled, the `rest_route` query
parameter should probably be omitted from the collected params, and/or
when registering an arg there should be a warning if someone attempts to
use the "rest_route" name.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62163>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list