From f465555022023cf779c0c75e6d6b8f3a2e52a25e Mon Sep 17 00:00:00 2001 From: Django Doucet Date: Sat, 21 Feb 2026 01:05:57 -0700 Subject: [PATCH 1/3] Fix proxyUrl with urldecode in sanitize and validate callbacks before passing to create_item --- includes/rest/class-proxy-controller.php | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/includes/rest/class-proxy-controller.php b/includes/rest/class-proxy-controller.php index 5b40c7061..21d08a827 100644 --- a/includes/rest/class-proxy-controller.php +++ b/includes/rest/class-proxy-controller.php @@ -55,7 +55,7 @@ public function register_routes() { 'description' => 'The URI of the remote ActivityPub object to fetch.', 'type' => 'string', 'required' => true, - 'sanitize_callback' => 'sanitize_url', + 'sanitize_callback' => array( $this, 'sanitize_url' ), 'validate_callback' => array( $this, 'validate_url' ), ), ), @@ -65,6 +65,18 @@ public function register_routes() { ); } + /** + * Sanitizes the URL parameter. + * + * @see https://developer.wordpress.org/reference/functions/sanitize_url/ + * + * @param string $url The urlencoded URL to sanitize. + * @return string The sanitized URL. + */ + public function sanitize_url( $url ) { + // Decode and sanitize the URL + return sanitize_url( urldecode( $url ) ); + } /** * Validate the URL parameter. * @@ -76,13 +88,16 @@ public function register_routes() { * @return bool True if valid, false otherwise. */ public function validate_url( $url ) { + // Decode the url + $decoded_url = urldecode( $url ); + // Must be HTTPS. - if ( 'https' !== \wp_parse_url( $url, PHP_URL_SCHEME ) ) { + if ( 'https' !== \wp_parse_url( $decoded_url, PHP_URL_SCHEME ) ) { return false; } // Use WordPress built-in validation (blocks local IPs, restricts ports). - return (bool) \wp_http_validate_url( $url ); + return (bool) \wp_http_validate_url( $decoded_url ); } /** From 7f9396ad9e9c04f52ad5bbff1c848a427a7579d7 Mon Sep 17 00:00:00 2001 From: Matthias Pfefferle Date: Sat, 21 Feb 2026 11:51:12 +0100 Subject: [PATCH 2/3] class-proxy-controller.php aktualisieren --- includes/rest/class-proxy-controller.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/rest/class-proxy-controller.php b/includes/rest/class-proxy-controller.php index 21d08a827..616afa660 100644 --- a/includes/rest/class-proxy-controller.php +++ b/includes/rest/class-proxy-controller.php @@ -74,7 +74,7 @@ public function register_routes() { * @return string The sanitized URL. */ public function sanitize_url( $url ) { - // Decode and sanitize the URL + // Decode and sanitize the URL. return sanitize_url( urldecode( $url ) ); } /** From 183a6c2b904c52534e93c2e2d45d3cc750083529 Mon Sep 17 00:00:00 2001 From: Matthias Pfefferle Date: Sat, 21 Feb 2026 11:51:19 +0100 Subject: [PATCH 3/3] class-proxy-controller.php aktualisieren --- includes/rest/class-proxy-controller.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/rest/class-proxy-controller.php b/includes/rest/class-proxy-controller.php index 616afa660..0a7036b28 100644 --- a/includes/rest/class-proxy-controller.php +++ b/includes/rest/class-proxy-controller.php @@ -88,7 +88,7 @@ public function sanitize_url( $url ) { * @return bool True if valid, false otherwise. */ public function validate_url( $url ) { - // Decode the url + // Decode the url. $decoded_url = urldecode( $url ); // Must be HTTPS.