Wordpress 4.6
[autoinstalls/wordpress.git] / wp-includes / rest-api / class-wp-rest-server.php
index ebf58de2bbae7791f739d83ac5719fcba8993d0e..7a459066905dc271fd59c4850b7e6c43adc946ee 100644 (file)
@@ -226,11 +226,17 @@ class WP_REST_Server {
        public function serve_request( $path = null ) {
                $content_type = isset( $_GET['_jsonp'] ) ? 'application/javascript' : 'application/json';
                $this->send_header( 'Content-Type', $content_type . '; charset=' . get_option( 'blog_charset' ) );
+               $this->send_header( 'X-Robots-Tag', 'noindex' );
+
+               $api_root = get_rest_url();
+               if ( ! empty( $api_root ) ) {
+                       $this->send_header( 'Link', '<' . esc_url_raw( $api_root ) . '>; rel="https://api.w.org/"' );
+               }
 
                /*
                 * Mitigate possible JSONP Flash attacks.
                 *
-                * http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
+                * https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
                 */
                $this->send_header( 'X-Content-Type-Options', 'nosniff' );
                $this->send_header( 'Access-Control-Expose-Headers', 'X-WP-Total, X-WP-TotalPages' );
@@ -251,7 +257,7 @@ class WP_REST_Server {
                }
 
                /**
-                * Filter whether the REST API is enabled.
+                * Filters whether the REST API is enabled.
                 *
                 * @since 4.4.0
                 *
@@ -260,7 +266,7 @@ class WP_REST_Server {
                $enabled = apply_filters( 'rest_enabled', true );
 
                /**
-                * Filter whether jsonp is enabled.
+                * Filters whether jsonp is enabled.
                 *
                 * @since 4.4.0
                 *
@@ -280,14 +286,8 @@ class WP_REST_Server {
                                return false;
                        }
 
-                       // Check for invalid characters (only alphanumeric allowed).
-                       if ( is_string( $_GET['_jsonp'] ) ) {
-                               $jsonp_callback = preg_replace( '/[^\w\.]/', '', wp_unslash( $_GET['_jsonp'] ), -1, $illegal_char_count );
-                               if ( 0 !== $illegal_char_count ) {
-                                       $jsonp_callback = null;
-                               }
-                       }
-                       if ( null === $jsonp_callback ) {
+                       $jsonp_callback = $_GET['_jsonp'];
+                       if ( ! wp_check_jsonp_callback( $jsonp_callback ) ) {
                                echo $this->json_error( 'rest_callback_invalid', __( 'The JSONP callback function is invalid.' ), 400 );
                                return false;
                        }
@@ -335,7 +335,7 @@ class WP_REST_Server {
                }
 
                /**
-                * Filter the API response.
+                * Filters the API response.
                 *
                 * Allows modification of the response before returning.
                 *
@@ -361,7 +361,7 @@ class WP_REST_Server {
                $this->set_status( $code );
 
                /**
-                * Filter whether the request has already been served.
+                * Filters whether the request has already been served.
                 *
                 * Allow sending the request manually - by returning true, the API result
                 * will not be sent to the client.
@@ -395,7 +395,7 @@ class WP_REST_Server {
 
                        if ( $jsonp_callback ) {
                                // Prepend '/**/' to mitigate possible JSONP Flash attacks
-                               // http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
+                               // https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
                                echo '/**/' . $jsonp_callback . '(' . $result . ')';
                        } else {
                                echo $result;
@@ -619,7 +619,7 @@ class WP_REST_Server {
                );
 
                /**
-                * Filter the enveloped form of a response.
+                * Filters the enveloped form of a response.
                 *
                 * @since 4.4.0
                 *
@@ -699,7 +699,7 @@ class WP_REST_Server {
        public function get_routes() {
 
                /**
-                * Filter the array of available endpoints.
+                * Filters the array of available endpoints.
                 *
                 * @since 4.4.0
                 *
@@ -801,7 +801,7 @@ class WP_REST_Server {
         */
        public function dispatch( $request ) {
                /**
-                * Filter the pre-calculated result of a REST dispatch request.
+                * Filters the pre-calculated result of a REST dispatch request.
                 *
                 * Allow hijacking the request before dispatching by returning a non-empty. The returned value
                 * will be used to serve the request instead.
@@ -853,8 +853,6 @@ class WP_REST_Server {
                                        $request->set_url_params( $args );
                                        $request->set_attributes( $handler );
 
-                                       $request->sanitize_params();
-
                                        $defaults = array();
 
                                        foreach ( $handler['args'] as $arg => $options ) {
@@ -869,6 +867,8 @@ class WP_REST_Server {
                                        if ( is_wp_error( $check_required ) ) {
                                                $response = $check_required;
                                        }
+
+                                       $request->sanitize_params();
                                }
 
                                if ( ! is_wp_error( $response ) ) {
@@ -879,14 +879,14 @@ class WP_REST_Server {
                                                if ( is_wp_error( $permission ) ) {
                                                        $response = $permission;
                                                } else if ( false === $permission || null === $permission ) {
-                                                       $response = new WP_Error( 'rest_forbidden', __( "You don't have permission to do this." ), array( 'status' => 403 ) );
+                                                       $response = new WP_Error( 'rest_forbidden', __( 'Sorry, you are not allowed to do that.' ), array( 'status' => 403 ) );
                                                }
                                        }
                                }
 
                                if ( ! is_wp_error( $response ) ) {
                                        /**
-                                        * Filter the REST dispatch request result.
+                                        * Filters the REST dispatch request result.
                                         *
                                         * Allow plugins to override dispatching the request.
                                         *
@@ -982,7 +982,7 @@ class WP_REST_Server {
                $response->add_link( 'help', 'http://v2.wp-api.org/' );
 
                /**
-                * Filter the API root index data.
+                * Filters the API root index data.
                 *
                 * This contains the data describing the API. This includes information
                 * about supported authentication schemes, supported namespaces, routes
@@ -1025,7 +1025,7 @@ class WP_REST_Server {
                $response->add_link( 'up', rest_url( '/' ) );
 
                /**
-                * Filter the namespace index data.
+                * Filters the namespace index data.
                 *
                 * This typically is just the route data for the namespace, but you can
                 * add any data you'd like here.
@@ -1059,7 +1059,7 @@ class WP_REST_Server {
                        }
 
                        /**
-                        * Filter the REST endpoint data.
+                        * Filters the REST endpoint data.
                         *
                         * @since 4.4.0
                         *
@@ -1069,7 +1069,7 @@ class WP_REST_Server {
                }
 
                /**
-                * Filter the publicly-visible data for routes.
+                * Filters the publicly-visible data for routes.
                 *
                 * This data is exposed on indexes and can be used by clients or
                 * developers to investigate the site and find out how to use it. It