REST API: Strip internal schema keywords from ability REST responses.

jorgefilipecosta · jorgefilipecosta · commit c22d026e87ff · 2026-04-06T13:37:25.000+01:00
Ability `input_schema` and `output_schema` may contain WordPress-internal
properties like `sanitize_callback`, `validate_callback`, and `arg_options`
that are not valid JSON Schema keywords. These cause client-side JSON Schema
validators to fail.

Strip non-standard keywords recursively using the same allowlist approach
(`rest_get_allowed_schema_keywords()`) that `WP_REST_Server::get_data_for_route()`
already uses for endpoint arguments.
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-abilities-v1-list-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-abilities-v1-list-controller.php
@@ -215,6 +215,70 @@ private function normalize_schema_empty_object_defaults( array $schema ): array
 		return $schema;
 	}
 
+	/**
+	 * Recursively removes non-JSON-Schema keywords from a schema.
+	 *
+	 * Ability schemas may include WordPress-internal properties like
+	 * `sanitize_callback`, `validate_callback`, and `arg_options` that are
+	 * used server-side but are not valid JSON Schema keywords. This method
+	 * strips any key not in the list returned by rest_get_allowed_schema_keywords(),
+	 * plus `required`.
+	 *
+	 * @since 6.9.0
+	 *
+	 * @param array<string, mixed> $schema The schema array.
+	 * @return array<string, mixed> The schema with only valid JSON Schema keywords.
+	 */
+	private function strip_internal_schema_keywords( array $schema ): array {
+		$allowed_keywords   = rest_get_allowed_schema_keywords();
+		$allowed_keywords[] = 'required';
+		$allowed_keywords   = array_flip( $allowed_keywords );
+
+		$schema = array_intersect_key( $schema, $allowed_keywords );
+
+		// Sub-schema maps: keys are user-defined, values are sub-schemas.
+		foreach ( array( 'properties', 'patternProperties' ) as $keyword ) {
+			if ( isset( $schema[ $keyword ] ) && is_array( $schema[ $keyword ] ) ) {
+				foreach ( $schema[ $keyword ] as $key => $child_schema ) {
+					if ( is_array( $child_schema ) ) {
+						$schema[ $keyword ][ $key ] = $this->strip_internal_schema_keywords( $child_schema );
+					}
+				}
+			}
+		}
+
+		// Single sub-schema: items.
+		if ( isset( $schema['items'] ) ) {
+			if ( wp_is_numeric_array( $schema['items'] ) ) {
+				foreach ( $schema['items'] as $index => $item_schema ) {
+					if ( is_array( $item_schema ) ) {
+						$schema['items'][ $index ] = $this->strip_internal_schema_keywords( $item_schema );
+					}
+				}
+			} elseif ( is_array( $schema['items'] ) ) {
+				$schema['items'] = $this->strip_internal_schema_keywords( $schema['items'] );
+			}
+		}
+
+		// Single sub-schema: additionalProperties (when not boolean).
+		if ( isset( $schema['additionalProperties'] ) && is_array( $schema['additionalProperties'] ) ) {
+			$schema['additionalProperties'] = $this->strip_internal_schema_keywords( $schema['additionalProperties'] );
+		}
+
+		// Array-of-schemas keywords.
+		foreach ( array( 'anyOf', 'oneOf' ) as $keyword ) {
+			if ( isset( $schema[ $keyword ] ) && is_array( $schema[ $keyword ] ) ) {
+				foreach ( $schema[ $keyword ] as $index => $sub_schema ) {
+					if ( is_array( $sub_schema ) ) {
+						$schema[ $keyword ][ $index ] = $this->strip_internal_schema_keywords( $sub_schema );
+					}
+				}
+			}
+		}
+
+		return $schema;
+	}
+
 	/**
 	 * Prepares an ability for response.
 	 *
@@ -230,8 +294,12 @@ public function prepare_item_for_response( $ability, $request ) {
 			'label'         => $ability->get_label(),
 			'description'   => $ability->get_description(),
 			'category'      => $ability->get_category(),
-			'input_schema'  => $this->normalize_schema_empty_object_defaults( $ability->get_input_schema() ),
-			'output_schema' => $this->normalize_schema_empty_object_defaults( $ability->get_output_schema() ),
+			'input_schema'  => $this->strip_internal_schema_keywords(
+				$this->normalize_schema_empty_object_defaults( $ability->get_input_schema() )
+			),
+			'output_schema' => $this->strip_internal_schema_keywords(
+				$this->normalize_schema_empty_object_defaults( $ability->get_output_schema() )
+			),
 			'meta'          => $ability->get_meta(),
 		);
 
diff --git a/tests/phpunit/tests/rest-api/wpRestAbilitiesV1ListController.php b/tests/phpunit/tests/rest-api/wpRestAbilitiesV1ListController.php
@@ -776,4 +776,59 @@ public function test_filter_by_nonexistent_category(): void {
 		$this->assertIsArray( $data );
 		$this->assertEmpty( $data, 'Should return empty array for non-existent category' );
 	}
+
+	/**
+	 * Test that WordPress-internal schema keywords are stripped from ability schemas in REST response.
+	 *
+	 * @ticket 64098
+	 */
+	public function test_internal_schema_keywords_stripped_from_response(): void {
+		$this->register_test_ability(
+			'test/with-internal-keywords',
+			array(
+				'label'               => 'Test Internal Keywords',
+				'description'         => 'Tests stripping of internal schema keywords',
+				'category'            => 'general',
+				'input_schema'        => array(
+					'type'       => 'object',
+					'properties' => array(
+						'content' => array(
+							'type'              => 'string',
+							'description'       => 'The content value.',
+							'sanitize_callback' => 'sanitize_text_field',
+							'validate_callback' => 'is_string',
+							'arg_options'       => array( 'sanitize_callback' => 'wp_kses_post' ),
+						),
+					),
+				),
+				'output_schema'       => array(
+					'type'              => 'string',
+					'sanitize_callback' => 'sanitize_text_field',
+				),
+				'execute_callback'    => static function ( $input ) {
+					return $input['content'];
+				},
+				'permission_callback' => '__return_true',
+				'meta'                => array( 'show_in_rest' => true ),
+			)
+		);
+
+		$request  = new WP_REST_Request( 'GET', '/wp-abilities/v1/abilities/test/with-internal-keywords' );
+		$response = $this->server->dispatch( $request );
+		$data     = $response->get_data();
+
+		// Verify internal keywords are stripped from input_schema properties.
+		$content_schema = $data['input_schema']['properties']['content'];
+		$this->assertArrayNotHasKey( 'sanitize_callback', $content_schema );
+		$this->assertArrayNotHasKey( 'validate_callback', $content_schema );
+		$this->assertArrayNotHasKey( 'arg_options', $content_schema );
+
+		// Verify valid JSON Schema keywords are preserved.
+		$this->assertSame( 'string', $content_schema['type'] );
+		$this->assertSame( 'The content value.', $content_schema['description'] );
+
+		// Verify internal keywords are stripped from output_schema.
+		$this->assertArrayNotHasKey( 'sanitize_callback', $data['output_schema'] );
+		$this->assertSame( 'string', $data['output_schema']['type'] );
+	}
 }
