[wp-trac] [WordPress Trac] #39699: Filter to check XML-RPC data before any DB insertion
WordPress Trac
noreply at wordpress.org
Tue Mar 11 18:26:08 UTC 2025
#39699: Filter to check XML-RPC data before any DB insertion
-------------------------------------------------+-------------------------
Reporter: enrico.sorcinelli | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Future
| Release
Component: XML-RPC | Version: 4.8
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests dev- | Focuses:
feedback |
-------------------------------------------------+-------------------------
Changes (by SirLouen):
* keywords: has-patch needs-testing has-unit-tests => has-patch has-unit-
tests dev-feedback
Comment:
== Test Report
=== Description
This report validates that the indicated patch works as expected.
Given that the patch is 8 years old, I have uploaded a new patch to
Github, adding some PHPCS corrections and fixing the merging process that
slightly failed.
Patch tested: https://patch-diff.githubusercontent.com/raw/WordPress
/wordpress-develop/pull/8494.diff
=== Environment
- WordPress: 6.8-beta2-59971-src
- PHP: 8.2.27
- Server: nginx/1.27.4
- Database: mysqli (Server: 8.4.4 / Client: mysqlnd 8.2.27)
- Browser: Firefox 136.0
- OS: Windows 10/11
- Theme: Twenty Twenty-Five 1.1
- MU Plugins: None activated
- Plugins:
* Test Reports 1.2.0
=== Testing Instructions
1. Run the code below adding before to `functions.php` or a custom plugin
the filter hook proposed also there
2. The post should be published without issues
3. Apply the patch
4. Run the code again
5. It throws an error like: `Error: 500 - Post title too short.`
=== Actual Results
1. ✅ Issue resolved with patch.
2. ✅ Both tests pass with the two asserts each correctly
=== Additional Notes
I doubt that anyone in the world is still using RPC, but I have admit that
this adds a fun filter for those who needs some extra limitations when
publishing content.
=== Supplemental Artifacts
I'm using this script to test it manually with an external PHP library. It
basically replicates a similar example to the one exposed in the tests:
{{{#!php
<?php
// First Run: composer require phpxmlrpc/phpxmlrpc
require_once 'vendor/autoload.php';
use PhpXmlRpc\Client;
use PhpXmlRpc\Value;
use PhpXmlRpc\Request;
// Create a new XML-RPC client
$client = new Client('http://localhost:8889/xmlrpc.php');
// Create custom fields array
$customFields = new Value(
array(
new Value(
array(
'key' => new Value('custom_field_to_create', 'string'),
'value' => new Value('123456789', 'string')
),
'struct'
)
),
'array'
);
// Create post data
$postData = new Value(
array(
'post_title' => new Value('This title is too long', 'string'),
'custom_fields' => $customFields
),
'struct'
);
// Create parameters for the request
$params = array(
new Value(1, 'int'), // Blog ID
new Value('testuser', 'string'), // Username
new Value('password', 'string'), // Password
$postData
);
// Create and send the request
$request = new Request('wp.newPost', $params);
$response = $client->send($request);
// Check for errors and display result
if ($response->faultCode()) {
echo "Error: " . $response->faultCode() . " - " .
$response->faultString();
} else {
echo "Post created with ID: " . $response->value()->scalarval();
}
}}}
Plus we can use this code in a plugin or in the functions.php:
{{{#!php
<?php
function filter_xmlrpc_before_insert_post ( $post_data, $content_struct,
$user ) {
if ( strlen( $post_data['post_title'] ) > 10 ) {
return new \IXR_Error( 500, 'Post title too long.' );
}
return $post_data;
}
add_filter( 'xmlrpc_before_insert_post',
'filter_xmlrpc_before_insert_post', 10, 3 );
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39699#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list