[wp-trac] [WordPress Trac] #64926: REST API: GET requests fail object/array schema validation when params are JSON-serialized strings

WordPress Trac noreply at wordpress.org
Fri Mar 27 05:34:29 UTC 2026 

#64926: REST API: GET requests fail object/array schema validation when params are
JSON-serialized strings
-------------------------+-------------------------------------------------
 Reporter:  dsmy         |       Owner:  (none)
     Type:  defect       |      Status:  new
  (bug)                  |
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  REST API     |     Version:
 Severity:  normal       |  Resolution:
 Keywords:  has-patch    |     Focuses:  javascript, rest-api, php-
                         |  compatibility
-------------------------+-------------------------------------------------

Comment (by liaison):

 Subject: Update on #64926 - GitHub PR submitted

 Hi @westonruter @zieladam,

 I’ve submitted a PR to address the validation/sanitization gap for
 structured data in GET requests. Based on our earlier discussion, here is
 the rationale behind the implementation:

 1. Rationale & Consensus
 While PHP's bracket notation (?user[name]=Bob) exists, it's not the ideal
 tool for modern decoupled clients or AI-agent integrations (like MCP) for
 several reasons:

 Lossy Encoding: As noted by @zieladam, bracket notation collapses types
 (e.g., boolean false becomes string "false", null becomes empty string),
 which breaks logic for strict schemas like block attributes.

 DX & Consistency: JSON.stringify() is the standard lossless path for
 structured data in JS. Since REST API already supports this via
 parse_json_params() for POST bodies, GET requests should ideally mirror
 this behavior to provide a consistent developer experience.

 2. PR Philosophy
 The PR introduces JSON Coercion at the entry point of both
 rest_validate_value_from_schema() and rest_sanitize_value_from_schema():

 Validation: We decode the string early so it can pass the is_object or
 is_array checks. This prevents the rest_invalid_type (400) error that
 currently blocks these requests.

 Sanitization: We perform the same decoding to ensure the data is returned
 as a proper PHP structured type to the controller callback.

 Safety: It uses json_last_error() to ensure we only touch valid JSON
 strings, leaving regular strings or malformed data to be handled by
 existing strict validation.

 GitHub PR:
 https://github.com/WordPress/wordpress-develop/pull/11371

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/64926#comment:15>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list