public function serve_request( $path = null ) {
$content_type = isset( $_GET['_jsonp'] ) ? 'application/javascript' : 'application/json';
$this->send_header( 'Content-Type', $content_type . '; charset=' . get_option( 'blog_charset' ) );
+ $this->send_header( 'X-Robots-Tag', 'noindex' );
+
+ $api_root = get_rest_url();
+ if ( ! empty( $api_root ) ) {
+ $this->send_header( 'Link', '<' . esc_url_raw( $api_root ) . '>; rel="https://api.w.org/"' );
+ }
/*
* Mitigate possible JSONP Flash attacks.
*
- * http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
+ * https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
*/
$this->send_header( 'X-Content-Type-Options', 'nosniff' );
$this->send_header( 'Access-Control-Expose-Headers', 'X-WP-Total, X-WP-TotalPages' );
}
/**
- * Filter whether the REST API is enabled.
+ * Filters whether the REST API is enabled.
*
* @since 4.4.0
*
$enabled = apply_filters( 'rest_enabled', true );
/**
- * Filter whether jsonp is enabled.
+ * Filters whether jsonp is enabled.
*
* @since 4.4.0
*
return false;
}
- // Check for invalid characters (only alphanumeric allowed).
- if ( is_string( $_GET['_jsonp'] ) ) {
- $jsonp_callback = preg_replace( '/[^\w\.]/', '', wp_unslash( $_GET['_jsonp'] ), -1, $illegal_char_count );
- if ( 0 !== $illegal_char_count ) {
- $jsonp_callback = null;
- }
- }
- if ( null === $jsonp_callback ) {
+ $jsonp_callback = $_GET['_jsonp'];
+ if ( ! wp_check_jsonp_callback( $jsonp_callback ) ) {
echo $this->json_error( 'rest_callback_invalid', __( 'The JSONP callback function is invalid.' ), 400 );
return false;
}
}
/**
- * Filter the API response.
+ * Filters the API response.
*
* Allows modification of the response before returning.
*
$this->set_status( $code );
/**
- * Filter whether the request has already been served.
+ * Filters whether the request has already been served.
*
* Allow sending the request manually - by returning true, the API result
* will not be sent to the client.
if ( $jsonp_callback ) {
// Prepend '/**/' to mitigate possible JSONP Flash attacks
- // http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
+ // https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
echo '/**/' . $jsonp_callback . '(' . $result . ')';
} else {
echo $result;
);
/**
- * Filter the enveloped form of a response.
+ * Filters the enveloped form of a response.
*
* @since 4.4.0
*
public function get_routes() {
/**
- * Filter the array of available endpoints.
+ * Filters the array of available endpoints.
*
* @since 4.4.0
*
*/
public function dispatch( $request ) {
/**
- * Filter the pre-calculated result of a REST dispatch request.
+ * Filters the pre-calculated result of a REST dispatch request.
*
* Allow hijacking the request before dispatching by returning a non-empty. The returned value
* will be used to serve the request instead.
$request->set_url_params( $args );
$request->set_attributes( $handler );
- $request->sanitize_params();
-
$defaults = array();
foreach ( $handler['args'] as $arg => $options ) {
if ( is_wp_error( $check_required ) ) {
$response = $check_required;
}
+
+ $request->sanitize_params();
}
if ( ! is_wp_error( $response ) ) {
if ( is_wp_error( $permission ) ) {
$response = $permission;
} else if ( false === $permission || null === $permission ) {
- $response = new WP_Error( 'rest_forbidden', __( "You don't have permission to do this." ), array( 'status' => 403 ) );
+ $response = new WP_Error( 'rest_forbidden', __( 'Sorry, you are not allowed to do that.' ), array( 'status' => 403 ) );
}
}
}
if ( ! is_wp_error( $response ) ) {
/**
- * Filter the REST dispatch request result.
+ * Filters the REST dispatch request result.
*
* Allow plugins to override dispatching the request.
*
$response->add_link( 'help', 'http://v2.wp-api.org/' );
/**
- * Filter the API root index data.
+ * Filters the API root index data.
*
* This contains the data describing the API. This includes information
* about supported authentication schemes, supported namespaces, routes
$response->add_link( 'up', rest_url( '/' ) );
/**
- * Filter the namespace index data.
+ * Filters the namespace index data.
*
* This typically is just the route data for the namespace, but you can
* add any data you'd like here.
}
/**
- * Filter the REST endpoint data.
+ * Filters the REST endpoint data.
*
* @since 4.4.0
*
}
/**
- * Filter the publicly-visible data for routes.
+ * Filters the publicly-visible data for routes.
*
* This data is exposed on indexes and can be used by clients or
* developers to investigate the site and find out how to use it. It