REST API: Allow-list ability schema response keywords.

Author: gziolo

src/wp-includes/rest-api/endpoints/class-wp-rest-abilities-v1-list-controller.php

@@ -189,15 +189,21 @@ public function get_item_permissions_check( $request ) {
 	}
 
 	/**
-	 * WordPress-internal schema keywords to strip from REST responses.
+	 * Additional schema keywords to preserve in REST responses.
 	 *
-	 * @since 7.0.0
-	 * @var array<string, true>
+	 * These are not included in rest_get_allowed_schema_keywords(), but are
+	 * still recognized as schema traversal locations for ability schemas.
+	 *
+	 * @since 7.1.0
+	 * @var string[]
 	 */
-	private const INTERNAL_SCHEMA_KEYWORDS = array(
-		'sanitize_callback' => true,
-		'validate_callback' => true,
-		'arg_options'       => true,
+	private const ADDITIONAL_ALLOWED_SCHEMA_KEYWORDS = array(
+		'required',
+		'allOf',
+		'not',
+		'definitions',
+		'dependencies',
+		'additionalItems',
 	);
 
 	/**
@@ -217,12 +223,11 @@ private function is_associative_array( $value ): bool {
 	/**
 	 * Transforms an ability schema for REST response output.
 	 *
-	 * Ability schemas may include WordPress-internal properties like
-	 * `sanitize_callback`, `validate_callback`, and `arg_options` that are
-	 * used server-side but are not valid JSON Schema keywords. This method
-	 * removes those specific keys so they are not exposed in REST responses.
-	 * It also converts empty array defaults to objects when the schema type is
-	 * 'object' to ensure proper JSON serialization as {} instead of [].
+	 * Ability schemas may include WordPress-internal properties or unsupported
+	 * schema keywords that should not be exposed in REST responses. This method
+	 * strips keys not recognized by the REST API schema handling. It also
+	 * converts empty array defaults to objects when the schema type is 'object'
+	 * to ensure proper JSON serialization as {} instead of [].
 	 *
 	 * @since 7.1.0
 	 *
@@ -237,7 +242,16 @@ private function prepare_schema_for_response( array $schema ): array {
 			}
 		}
 
-		$schema = array_diff_key( $schema, self::INTERNAL_SCHEMA_KEYWORDS );
+		$schema = array_intersect_key(
+			$schema,
+			array_fill_keys(
+				array_merge(
+					rest_get_allowed_schema_keywords(),
+					self::ADDITIONAL_ALLOWED_SCHEMA_KEYWORDS
+				),
+				true
+			)
+		);
 
 		// Sub-schema maps: keys are user-defined, values are sub-schemas.
 		// Note: 'dependencies' values can also be property-dependency arrays

tests/phpunit/tests/rest-api/wpRestAbilitiesV1ListController.php

@@ -846,6 +846,7 @@ public function test_internal_schema_keywords_stripped_from_response(): void {
 						'content' => array(
 							'type'              => 'string',
 							'description'       => 'The content value.',
+							'examples'          => array( 'example content' ),
 							'sanitize_callback' => 'sanitize_text_field',
 							'validate_callback' => 'is_string',
 							'arg_options'       => array( 'sanitize_callback' => 'wp_kses_post' ),
@@ -880,6 +881,7 @@ public function test_internal_schema_keywords_stripped_from_response(): void {
 		$this->assertArrayNotHasKey( 'sanitize_callback', $content_schema );
 		$this->assertArrayNotHasKey( 'validate_callback', $content_schema );
 		$this->assertArrayNotHasKey( 'arg_options', $content_schema );
+		$this->assertArrayNotHasKey( 'examples', $content_schema );
 
 		// Verify valid JSON Schema keywords are preserved.
 		$this->assertSame( 'string', $content_schema['type'] );