[wp-trac] [WordPress Trac] #64149: Media / Attachments REST API endpoint: cast args to array before sending to wp_slash > wp_insert_attachment

WordPress Trac noreply at wordpress.org
Sat Oct 25 01:46:58 UTC 2025 

#64149: Media / Attachments REST API endpoint: cast args to array before sending to
wp_slash > wp_insert_attachment
--------------------------+--------------------------------------
 Reporter:  ramonopoly    |      Owner:  (none)
     Type:  defect (bug)  |     Status:  assigned
 Priority:  high          |  Milestone:  6.9
Component:  REST API      |    Version:
 Severity:  normal        |   Keywords:  has-patch has-unit-tests
  Focuses:  rest-api      |
--------------------------+--------------------------------------
 Follow up to: https://core.trac.wordpress.org/ticket/64035

 In the REST API Attachments controller, the result of
 `WP_REST_Attachments_Controller::prepare_item_for_database` in
 `WP_REST_Attachments_Controller::edit_media_item` returns an `stdClass`
 object.

 Before creating the new attachment using `wp_insert_attachment` the values
 are run through
 [https://developer.wordpress.org/reference/functions/wp_slash/ wp_slash].

 `wp_slash` does not process objects, only strings or arrays of strings.

 Therefore, the values are not being formatted by `wp_slash` at all.

 Furthermore
 [https://developer.wordpress.org/reference/functions/wp_insert_attachment/
 wp_insert_attachment] expects `string|array` as the first argument
 (`$args`).

 It's only by happy circumstance that `$args` is run through
 [https://developer.wordpress.org/reference/functions/wp_parse_args/
 wp_parse_args], which processes objects.

 In short, the result of
 `WP_REST_Attachments_Controller::prepare_item_for_database` needs be cast
 to an array before being sent to `wp_slash`.

 E.g., [https://github.com/ramonjd/wordpress-develop/blob/trunk/src/wp-
 includes/rest-api/endpoints/class-wp-rest-attachments-controller.php#L373
 at line 373]


 {{{#!php
 <?php
 $id = wp_insert_attachment( wp_slash( (array) $attachment ), $file, 0,
 true, false );
 }}}








 Props to @justlevine for calling it out!

 https://github.com/WordPress/wordpress-
 develop/commit/117f23f251f9902ccac4477957402cc8dac6f885#r168784907

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64149>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list