Introduce SAFE_SETTINGS constant in WP_Theme_JSON to preserve non-preset, non-CSS settings during property removal. Added unit tests to validate the functionality of safe settings and their existence in VALID_SETTINGS.

Author: ramonjd

src/wp-includes/class-wp-theme-json.php

@@ -482,6 +482,26 @@ class WP_Theme_JSON {
 		),
 	);
 
+	/**
+	 * Safe settings that should be preserved by ::remove_insecure_settings().
+	 *
+	 * These are non-preset, non-CSS settings that control behavior rather than styling.
+	 * Each entry defines the setting path and its expected type for validation.
+	 * Each entry should also be present in ::VALID_SETTINGS.
+	 *
+	 * @since 7.0.0
+	 */
+	const SAFE_SETTINGS = array(
+		array(
+			'path' => array( 'lightbox', 'allowEditing' ),
+			'type' => 'boolean',
+		),
+		array(
+			'path' => array( 'lightbox', 'enabled' ),
+			'type' => 'boolean',
+		),
+	);
+
 	/**
 	 * The valid properties for fontFamilies under settings key.
 	 *
@@ -3732,6 +3752,33 @@ protected static function remove_insecure_settings( $input ) {
 		// Ensure indirect properties not included in any `PRESETS_METADATA` value are allowed.
 		static::remove_indirect_properties( $input, $output );
 
+		// Preserve all valid settings that aren't presets or indirect properties.
+		foreach ( static::SAFE_SETTINGS as $safe_setting ) {
+			$path = $safe_setting['path'];
+			$type = $safe_setting['type'];
+
+			// Extract the value from input using the path.
+			$value = _wp_array_get( $input, $path, null );
+
+			// Skip if the setting is not present in the input.
+			if ( null === $value ) {
+				continue;
+			}
+
+			// Validate the type.
+			$is_valid_type = false;
+			switch ( $type ) {
+				case 'boolean':
+					$is_valid_type = is_bool( $value );
+					break;
+			}
+
+			// If the type is valid, set it in the output using the path.
+			if ( $is_valid_type ) {
+				_wp_array_set( $output, $path, $value );
+			}
+		}
+
 		return $output;
 	}
 

tests/phpunit/tests/theme/wpThemeJson.php

@@ -6623,4 +6623,70 @@ public function test_merge_incoming_data_unique_slugs_always_preserved() {
 
 		$this->assertEqualSetsWithIndex( $expected, $actual );
 	}
+
+	/**
+	 * @covers WP_Theme_JSON::remove_insecure_properties
+	 */
+	public function test_remove_insecure_properties_should_allow_safe_settings() {
+		$actual = WP_Theme_JSON::remove_insecure_properties(
+			array(
+				'version'  => WP_Theme_JSON::LATEST_SCHEMA,
+				'settings' => array(
+					'blocks' => array(
+						'core/image' => array(
+							'lightbox' => array(
+								'enabled'      => false,
+								'allowEditing' => true,
+							),
+						),
+					),
+				),
+			)
+		);
+
+		$expected = array(
+			'version'  => WP_Theme_JSON::LATEST_SCHEMA,
+			'settings' => array(
+				'blocks' => array(
+					'core/image' => array(
+						'lightbox' => array(
+							'enabled'      => false,
+							'allowEditing' => true,
+						),
+					),
+				),
+			),
+		);
+
+		$this->assertEqualSetsWithIndex( $expected, $actual );
+	}
+
+	/**
+	 * @covers WP_Theme_JSON::remove_insecure_properties
+	 */
+	public function test_safe_settings_paths_should_exist_in_valid_settings() {
+		// Verify all paths in SAFE_SETTINGS exist in VALID_SETTINGS.
+		foreach ( WP_Theme_JSON::SAFE_SETTINGS as $safe_setting ) {
+			$path = $safe_setting['path'];
+			$data = WP_Theme_JSON::VALID_SETTINGS;
+
+			// Check if path exists by traversing the nested structure.
+			$exists = true;
+			foreach ( $path as $key ) {
+				if ( ! is_array( $data ) || ! array_key_exists( $key, $data ) ) {
+					$exists = false;
+					break;
+				}
+				$data = $data[ $key ];
+			}
+
+			$this->assertTrue(
+				$exists,
+				sprintf(
+					'Path %s from SAFE_SETTINGS should exist in VALID_SETTINGS',
+					implode( '.', $path )
+				)
+			);
+		}
+	}
 }