[wp-trac] [WordPress Trac] #64926: REST API: GET requests fail object/array schema validation when params are JSON-serialized strings
WordPress Trac
noreply at wordpress.org
Mon Mar 23 13:12:59 UTC 2026
#64926: REST API: GET requests fail object/array schema validation when params are
JSON-serialized strings
-------------------------+-------------------------------------------------
Reporter: dsmy | Owner: (none)
Type: defect | Status: new
(bug) |
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: trunk
Severity: normal | Resolution:
Keywords: needs-patch | Focuses: javascript, rest-api, php-
| compatibility
-------------------------+-------------------------------------------------
Comment (by abcd95):
I think the issue is likely in `rest_validate_value_from_schema()` in
rest-api.php.
When a GET request passes an object or array param as a JSON string (e.g.
?filter={"post_id":123}), PHP populates $_GET with a raw string. The
validator calls rest_is_object() / rest_is_array() on that string and it
neither recognises it, and rejects the request with a 400 before
sanitisation can run.
For POST requests with Content-Type: application/json this never occurs
because WP_REST_Request::parse_json_params() calls json_decode() on the
body before validation. No equivalent step exists for query-string params.
The most sensible fix that I can think of is in
rest_validate_value_from_schema(), when the type is object or array and
the incoming $value is a string, we can there try to json_decode().
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64926#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list