Refactor SAFE_SETTINGS in WP_Theme_JSON to be private, ensuring it is used only internally. Update unit tests to validate the removal of insecure properties and ensure safe settings are not allowed to be unsafe.

Author: ramonjd

src/wp-includes/class-wp-theme-json.php

@@ -487,11 +487,13 @@ class WP_Theme_JSON {
 	 *
 	 * These are non-preset, non-CSS settings that control behavior rather than styling.
 	 * Each entry defines the setting path and its expected type for validation.
-	 * Each entry should also be present in ::VALID_SETTINGS.
+	 *
+	 * The constant is deliberately private to prevent external usage by plugins.
+	 * Like the class itself, it is intended for internal core usage.
 	 *
 	 * @since 7.0.0
 	 */
-	const SAFE_SETTINGS = array(
+	private const SAFE_SETTINGS = array(
 		array(
 			'path' => array( 'lightbox', 'allowEditing' ),
 			'type' => 'boolean',

tests/phpunit/tests/theme/wpThemeJson.php

@@ -6630,24 +6630,25 @@ public function test_merge_incoming_data_unique_slugs_always_preserved() {
 	 * @ticket 64280
 	 */
 	public function test_remove_insecure_properties_should_allow_safe_settings() {
-		$actual = WP_Theme_JSON::remove_insecure_properties(
+		$actual = WP_Theme_JSON_Gutenberg::remove_insecure_properties(
 			array(
-				'version'  => WP_Theme_JSON::LATEST_SCHEMA,
+				'version'  => WP_Theme_JSON_Gutenberg::LATEST_SCHEMA,
 				'settings' => array(
 					'blocks' => array(
 						'core/image' => array(
-							'lightbox' => array(
+							'lightbox'    => array(
 								'enabled'      => false,
 								'allowEditing' => true,
 							),
+							'unsupported' => 'value',
 						),
 					),
 				),
 			)
 		);
 
 		$expected = array(
-			'version'  => WP_Theme_JSON::LATEST_SCHEMA,
+			'version'  => WP_Theme_JSON_Gutenberg::LATEST_SCHEMA,
 			'settings' => array(
 				'blocks' => array(
 					'core/image' => array(
@@ -6662,35 +6663,41 @@ public function test_remove_insecure_properties_should_allow_safe_settings() {
 
 		$this->assertEqualSetsWithIndex( $expected, $actual );
 	}
-
 	/**
 	 * @covers WP_Theme_JSON::remove_insecure_properties
 	 *
 	 * @ticket 64280
 	 */
-	public function test_safe_settings_paths_should_exist_in_valid_settings() {
-		// Verify all paths in SAFE_SETTINGS exist in VALID_SETTINGS.
-		foreach ( WP_Theme_JSON::SAFE_SETTINGS as $safe_setting ) {
-			$path = $safe_setting['path'];
-			$data = WP_Theme_JSON::VALID_SETTINGS;
-
-			// Check if path exists by traversing the nested structure.
-			$exists = true;
-			foreach ( $path as $key ) {
-				if ( ! is_array( $data ) || ! array_key_exists( $key, $data ) ) {
-					$exists = false;
-					break;
-				}
-				$data = $data[ $key ];
-			}
-
-			$this->assertTrue(
-				$exists,
-				sprintf(
-					'Path %s from SAFE_SETTINGS should exist in VALID_SETTINGS',
-					implode( '.', $path )
-				)
-			);
-		}
+	public function test_remove_insecure_properties_should_not_allow_unsafe_settings() {
+		$actual = WP_Theme_JSON_Gutenberg::remove_insecure_properties(
+			array(
+				'version'  => WP_Theme_JSON_Gutenberg::LATEST_SCHEMA,
+				'settings' => array(
+					'blocks' => array(
+						'core/image' => array(
+							'lightbox' => array(
+								'enabled'      => 'false',
+								'allowEditing' => true,
+							),
+						),
+					),
+				),
+			)
+		);
+
+		$expected = array(
+			'version'  => WP_Theme_JSON_Gutenberg::LATEST_SCHEMA,
+			'settings' => array(
+				'blocks' => array(
+					'core/image' => array(
+						'lightbox' => array(
+							'allowEditing' => true,
+						),
+					),
+				),
+			),
+		);
+
+		$this->assertEqualSetsWithIndex( $expected, $actual );
 	}
 }