X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/4feeb71a9d812a9ae371c28a3d8b442a4394ded7..607b7e02d77e7326161e8ec15639052d2040f745:/wp-includes/rest-api/class-wp-rest-server.php diff --git a/wp-includes/rest-api/class-wp-rest-server.php b/wp-includes/rest-api/class-wp-rest-server.php index ebf58de2..7a459066 100644 --- a/wp-includes/rest-api/class-wp-rest-server.php +++ b/wp-includes/rest-api/class-wp-rest-server.php @@ -226,11 +226,17 @@ class WP_REST_Server { public function serve_request( $path = null ) { $content_type = isset( $_GET['_jsonp'] ) ? 'application/javascript' : 'application/json'; $this->send_header( 'Content-Type', $content_type . '; charset=' . get_option( 'blog_charset' ) ); + $this->send_header( 'X-Robots-Tag', 'noindex' ); + + $api_root = get_rest_url(); + if ( ! empty( $api_root ) ) { + $this->send_header( 'Link', '<' . esc_url_raw( $api_root ) . '>; rel="https://api.w.org/"' ); + } /* * Mitigate possible JSONP Flash attacks. * - * http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ + * https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ */ $this->send_header( 'X-Content-Type-Options', 'nosniff' ); $this->send_header( 'Access-Control-Expose-Headers', 'X-WP-Total, X-WP-TotalPages' ); @@ -251,7 +257,7 @@ class WP_REST_Server { } /** - * Filter whether the REST API is enabled. + * Filters whether the REST API is enabled. * * @since 4.4.0 * @@ -260,7 +266,7 @@ class WP_REST_Server { $enabled = apply_filters( 'rest_enabled', true ); /** - * Filter whether jsonp is enabled. + * Filters whether jsonp is enabled. * * @since 4.4.0 * @@ -280,14 +286,8 @@ class WP_REST_Server { return false; } - // Check for invalid characters (only alphanumeric allowed). - if ( is_string( $_GET['_jsonp'] ) ) { - $jsonp_callback = preg_replace( '/[^\w\.]/', '', wp_unslash( $_GET['_jsonp'] ), -1, $illegal_char_count ); - if ( 0 !== $illegal_char_count ) { - $jsonp_callback = null; - } - } - if ( null === $jsonp_callback ) { + $jsonp_callback = $_GET['_jsonp']; + if ( ! wp_check_jsonp_callback( $jsonp_callback ) ) { echo $this->json_error( 'rest_callback_invalid', __( 'The JSONP callback function is invalid.' ), 400 ); return false; } @@ -335,7 +335,7 @@ class WP_REST_Server { } /** - * Filter the API response. + * Filters the API response. * * Allows modification of the response before returning. * @@ -361,7 +361,7 @@ class WP_REST_Server { $this->set_status( $code ); /** - * Filter whether the request has already been served. + * Filters whether the request has already been served. * * Allow sending the request manually - by returning true, the API result * will not be sent to the client. @@ -395,7 +395,7 @@ class WP_REST_Server { if ( $jsonp_callback ) { // Prepend '/**/' to mitigate possible JSONP Flash attacks - // http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ + // https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ echo '/**/' . $jsonp_callback . '(' . $result . ')'; } else { echo $result; @@ -619,7 +619,7 @@ class WP_REST_Server { ); /** - * Filter the enveloped form of a response. + * Filters the enveloped form of a response. * * @since 4.4.0 * @@ -699,7 +699,7 @@ class WP_REST_Server { public function get_routes() { /** - * Filter the array of available endpoints. + * Filters the array of available endpoints. * * @since 4.4.0 * @@ -801,7 +801,7 @@ class WP_REST_Server { */ public function dispatch( $request ) { /** - * Filter the pre-calculated result of a REST dispatch request. + * Filters the pre-calculated result of a REST dispatch request. * * Allow hijacking the request before dispatching by returning a non-empty. The returned value * will be used to serve the request instead. @@ -853,8 +853,6 @@ class WP_REST_Server { $request->set_url_params( $args ); $request->set_attributes( $handler ); - $request->sanitize_params(); - $defaults = array(); foreach ( $handler['args'] as $arg => $options ) { @@ -869,6 +867,8 @@ class WP_REST_Server { if ( is_wp_error( $check_required ) ) { $response = $check_required; } + + $request->sanitize_params(); } if ( ! is_wp_error( $response ) ) { @@ -879,14 +879,14 @@ class WP_REST_Server { if ( is_wp_error( $permission ) ) { $response = $permission; } else if ( false === $permission || null === $permission ) { - $response = new WP_Error( 'rest_forbidden', __( "You don't have permission to do this." ), array( 'status' => 403 ) ); + $response = new WP_Error( 'rest_forbidden', __( 'Sorry, you are not allowed to do that.' ), array( 'status' => 403 ) ); } } } if ( ! is_wp_error( $response ) ) { /** - * Filter the REST dispatch request result. + * Filters the REST dispatch request result. * * Allow plugins to override dispatching the request. * @@ -982,7 +982,7 @@ class WP_REST_Server { $response->add_link( 'help', 'http://v2.wp-api.org/' ); /** - * Filter the API root index data. + * Filters the API root index data. * * This contains the data describing the API. This includes information * about supported authentication schemes, supported namespaces, routes @@ -1025,7 +1025,7 @@ class WP_REST_Server { $response->add_link( 'up', rest_url( '/' ) ); /** - * Filter the namespace index data. + * Filters the namespace index data. * * This typically is just the route data for the namespace, but you can * add any data you'd like here. @@ -1059,7 +1059,7 @@ class WP_REST_Server { } /** - * Filter the REST endpoint data. + * Filters the REST endpoint data. * * @since 4.4.0 * @@ -1069,7 +1069,7 @@ class WP_REST_Server { } /** - * Filter the publicly-visible data for routes. + * Filters the publicly-visible data for routes. * * This data is exposed on indexes and can be used by clients or * developers to investigate the site and find out how to use it. It