[wp-trac] [WordPress Trac] #64926: REST API: GET requests fail object/array schema validation when params are JSON-serialized strings

WordPress Trac noreply at wordpress.org
Wed Mar 25 01:28:02 UTC 2026 

#64926: REST API: GET requests fail object/array schema validation when params are
JSON-serialized strings
-------------------------------------+-------------------------------------
 Reporter:  dsmy                     |       Owner:  (none)
     Type:  defect (bug)             |      Status:  new
 Priority:  normal                   |   Milestone:  Awaiting Review
Component:  REST API                 |     Version:  trunk
 Severity:  normal                   |  Resolution:
 Keywords:  needs-patch reporter-    |     Focuses:  javascript, rest-api,
  feedback                           |  php-compatibility
-------------------------------------+-------------------------------------

Comment (by dsmy):

 Indeed, weird things happening between GET and POST handling.

 The fix in rest_validate_value_from_schema() closes that gap — when the
 schema expects object or array and the incoming value is a string, attempt
 json_decode() before rejecting. This logic already exists in
 rest_sanitize_value_from_schema(); the validation step just doesn't mirror
 it.

 Replying to [comment:1 abcd95]:
 > I think the issue is likely in `rest_validate_value_from_schema()` in
 rest-api.php.
 >
 > When a GET request passes an object or array param as a JSON string
 (e.g. ?filter={"post_id":123}), PHP populates $_GET with a raw string. The
 validator calls rest_is_object() / rest_is_array() on that string and it
 neither recognises it, and rejects the request with a 400 before
 sanitisation can run.
 >
 > For POST requests with Content-Type: application/json this never occurs
 because WP_REST_Request::parse_json_params() calls json_decode() on the
 body before validation. No equivalent step exists for query-string params.
 >
 > The most sensible fix that I can think of is in
 rest_validate_value_from_schema(), when the type is object or array and
 the incoming $value is a string, we can there try to json_decode().
 >

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64926#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list