Target Hints: Add missing param sanitization

[swissspidy]

What?

This fixes a serious bug in the Gutenberg_REST_Server class which is intended for 6.7 merge. This bug causes fatal errors for plugins like Web Stories.

#64504 updated WP_REST_Sever to add the targetHints property. Like WP_REST_Server::dispatch() it uses match_request_to_handler() to get the correct handler and then "sends" the correct headers.

The problem is that it does not sanitize the request params it gathered from WP_REST_Request::from_url() and match_request_to_handler(). So if the controller in question expects an int, it will get a string and if it has strict typing, that leads to fatal errors.

Note: This might warrant a 19.2.1 release.

Why?

Bugs are bad!

How?

Fixes the bug by validating and sanitizing the params.

I don't have the capacity right now to add tests, so if someone else can do it, that would be great.

Testing Instructions

1. Install the Web Stories plugin
2. Open the Web Stories editor
3. See (or not see) a fatal error

Testing Instructions for Keyboard

N/A

Screenshots or screencast

N/A

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: swissspidy <swissspidy@git.wordpress.org>
Co-authored-by: Mamaduka <mamaduka@git.wordpress.org>
Co-authored-by: peterwilsoncc <peterwilsoncc@git.wordpress.org>
Co-authored-by: TimothyBJacobs <timothyblynjacobs@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[swissspidy]

Adding the "No Core Sync Required" label solely because the core PR wasn't actually merged yet

[github-actions]

Flaky tests detected in a53c8b0.
Some tests passed with failed attempts. The failures may not be related to this commit but are still reported for visibility. See the documentation for more information.

🔍 Workflow run URL: https://github.com/WordPress/gutenberg/actions/runs/10829903591
📝 Reported issues:

• [Flaky Test] should not render Block Settings sections #64387 in /test/e2e/specs/widgets/customizing-widgets.spec.js

[Mamaduka]

Can confirm that this fixes the fatal error with the Web Stories plugin.

The unit test coverage would be nice to have, but it is probably not a blocker for the Gutenberg plugin fix if we want to ship a minor release as soon as possible.

[peterwilsoncc]

@swissspidy Are you able to add a link to this PR to https://github.com/WordPress/gutenberg/blob/trunk/backport-changelog/6.7/7139.md

[swissspidy]

Weird workflow, clearly I am not accustomed to it. Done now.

[swissspidy]

E2E failures are unrelated and happen because of a core change.

[TimothyBJacobs]

I'm adding tests in WordPress/wordpress-develop#7139, is that properly testing what you were running into @swissspidy?

[swissspidy]

I think so, yes, thanks @TimothyBJacobs!

[swissspidy]

@Mamaduka do you think this warrants a minor release? if not, when is 19.3 happening?