Skip to content

Connectors: Sanitize provider IDs with hyphens in _wp_connectors_init().#11260

Closed
soderlind wants to merge 1 commit intoWordPress:trunkfrom
soderlind:sanitize/provider-ID
Closed

Connectors: Sanitize provider IDs with hyphens in _wp_connectors_init().#11260
soderlind wants to merge 1 commit intoWordPress:trunkfrom
soderlind:sanitize/provider-ID

Conversation

@soderlind
Copy link

@soderlind soderlind commented Mar 15, 2026

Patch for #64861: _wp_connectors_init() should sanitize provider IDs

Problem

_wp_connectors_init() passes AI Client provider IDs directly to WP_Connector_Registry::register(), which validates IDs against /^[a-z0-9_]+$/. Third-party providers using hyphens in their ID (e.g. azure-openai) are silently rejected with a _doing_it_wrong notice, causing them to be missing from the connector registry even though they work correctly at the AiClient level.

Approach

Option 1 from the ticket: sanitize hyphens → underscores before passing to the registry, while preserving the original provider ID for AiClient lookups.

Changes

class-wp-connector-registry.php

  • register() now accepts and stores an optional provider_id field in connector data, allowing callers to preserve the original AI Client provider ID when it differs from the sanitized connector ID.
  • Updated @phpstan-type Connector and $args docblock accordingly.

connectors.php

  • In _wp_connectors_init(): the loop variable from getRegisteredProviderIds() is now $provider_id. A sanitized $connector_id = str_replace( '-', '_', $provider_id ) is used as the registry key. getProviderClassName() continues to receive the original $provider_id since the AiClient registry stores providers under their original key. Both existing defaults and new providers store 'provider_id' => $provider_id in the connector data.
  • Four downstream functions that iterate over registered connectors and call back into the AiClient API now extract $provider_id = $connector_data['provider_id'] ?? $connector_id and use it for all AiClient calls:
    • _wp_connectors_rest_settings_dispatch() — key validation via _wp_connectors_is_ai_api_key_valid()
    • _wp_register_default_connector_settings()hasProvider() check
    • _wp_connectors_pass_default_keys_to_ai_client()hasProvider(), _wp_connectors_get_api_key_source(), setProviderRequestAuthentication()
    • _wp_connectors_get_connector_script_module_data()hasProvider(), isProviderConfigured(), _wp_connectors_get_api_key_source()
  • Updated return-type docblocks for wp_get_connector() and wp_get_connectors() to document the optional provider_id field.

wpConnectorRegistry.php

Four new tests:

  • test_register_stores_provider_id — provider_id is preserved in returned connector data
  • test_register_omits_provider_id_when_not_provided — no provider_id key when absent from args
  • test_register_omits_provider_id_when_empty — no provider_id key when empty string
  • test_get_registered_includes_provider_id — provider_id round-trips through get_registered()

Impact

  • The three built-in providers (anthropic, google, openai) have no hyphens and are unaffected.
  • Third-party providers with hyphenated IDs will now be registered under the underscore variant (e.g. azure-openaiazure_openai) and appear correctly in Settings → Connectors.
  • The provider_id field falls back to the connector ID via ??, so existing code consuming connector data is unaffected.

Trac ticket: https://core.trac.wordpress.org/ticket/64861

Use of AI Tools

GitHub Copilot + Opus 4.6 used to review the patch

This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.

@soderlind
Connectors: Sanitize provider IDs with hyphens in _wp_connectors_init().
cfacaa7 
Passes AI Client provider IDs through str_replace( '-', '_', $provider_id )
before registering them in WP_Connector_Registry, which only accepts
[a-z0-9_]. The original provider ID is stored in a new 'provider_id' field
so downstream functions can use it for AiClient lookups.

Props PerS.
Fixes #64861.
@github-actions
Copy link

github-actions bot commented Mar 15, 2026
edited
Loading

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props pers, jeffpaul, gziolo.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@github-actions
Copy link

github-actions bot commented Mar 15, 2026

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

@jeffpaul
Copy link
Member

jeffpaul commented Mar 15, 2026

@felixarntz @JasonTheAdams @justlevine ^^^

@gziolo
Copy link
Member

gziolo commented Mar 18, 2026
edited
Loading

I proposed an alternative approach in #11285. Instead of tracking the original provider name, we can align with how names and slugs are structured in WordPress (see ability name or plugin slugs) and allow - instead of _. It's still an open question whether we should include similar validation for AI providers, because it currently allows almost anything, with the note that when handling environment variables and PHP constant names, - gets replaced with _. Therefore, it might be worth exploring a stricter standardization in the PHP API client to avoid mismatches, too.

@github-actions
Copy link

github-actions bot commented Mar 19, 2026

A commit was made that fixes the Trac ticket referenced in the description of this pull request.

SVN changeset: 62056
GitHub commit: b8e0c3d

This PR will be closed, but please confirm the accuracy of this and reopen if there is more work to be done.

@github-actions github-actions bot closed this Mar 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@soderlind @jeffpaul @gziolo