Get WordPress

Make WordPress Core

Opened 2 weeks ago

Closed 5 days ago

#64666 closed defect (bug) (fixed)

REST API: Prevent fatal when font settings params are non-string in font faces and font families endpoints

Reported by: deepaklalwani's profile deepaklalwani Owned by: westonruter's profile westonruter
Milestone: 7.0 Priority: normal
Severity: normal Version: trunk
Component: REST API Keywords: has-patch has-unit-tests
Focuses: Cc:

Description

The endpoints for creating and updating fonts currently expect stringified JSON for the settings parameters when sent via multipart/form-data.

However, when nested form fields (array/object style) are passed instead of a flat JSON string, the request handling reaches the JSON decoding stage with a non-string value. This triggers a Fatal TypeError rather than returning a standard REST validation error.

Affected Endpoints:

font_face_settings on /wp/v2/font-families/<id>/font-faces
font_family_settings on /wp/v2/font-families (Create/Update)

Steps to Reproduce
Run the following curl command (updating the credentials and URL for your local environment). This uses nested form fields for the settings instead of a JSON string:

curl -i -u "<username>:<password>" \
  -X POST "https://your-site.local/wp-json/wp/v2/font-families" \
  -F "theme_json_version=3" \
  -F "font_family_settings[name]=Inter" \
  -F "font_family_settings[slug]=inter" \
  -F "font_family_settings[fontFamily]=Inter, sans-serif"

Expected Behavior
The API should not trigger a fatal error. It should return a WP_Error object with:

Code: rest_invalid_param

Status: 400 Bad Request

Message: A clear explanation that the settings parameter must be a valid JSON string.

Actual Behavior
A Fatal TypeError occurs during the JSON decoding process because the code receives an array/object where it strictly expects a string.

Change History (3)

This ticket was mentioned in PR #10966 on WordPress/wordpress-develop by @deepaklalwani.
2 weeks ago #1

  • Keywords has-patch has-unit-tests added
  • Ensure strict type guards for both settings params before JSON decode and return rest_invalid_param when input is not a string.
  • Add/extend REST API unit tests to cover non-string settings payloads and assert 400 error responses.

Trac ticket: https://core.trac.wordpress.org/ticket/64666

## Use of AI Tools
Used Github Copilot for unit test cases which is updated and reviewed by me.

#2 @westonruter
9 days ago

  • Milestone changed from Awaiting Review to 7.0
  • Owner set to westonruter
  • Status changed from new to reviewing

#3 @westonruter
5 days ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 61765:

REST API: Prevent fatal error when non-string value is passed in endpoints for font faces and font families.

The value is expected to be a serialized JSON string, which the validation callback validates.

Developed in https://github.com/WordPress/wordpress-develop/pull/10966

Follow-up to r57548.

Props deepaklalwani, westonruter.
See #59166.
Fixes #64666.

Note: See TracTickets for help on using tickets.