rest api – rest_sanitize_value_from_schema doesn’t sanitize string

This is a part of a simplified piece of code. It accepts a JSON post, validates it against a schema and if ok, sanitize the JSON structure

$schema = array(
        'type'       => 'object',
        'properties' => array(
            'email' => array(
                'type'   => 'string',
                'format' => 'email',
            'name'  => array(
                'type' => 'string',

    $json = json_decode( '{"email":"","name":"John <script>x.js</script>Doe"}', true );

    $result = rest_validate_value_from_schema( $json, $schema );
    if ( is_wp_error( $result ) ) {
        echo 'Error';

    $clean = rest_sanitize_value_from_schema( $json, $schema );

I’m expecting that the <script>x.js</script>part is stripped from the JSON-name field in ‘rest_sanitize_value_from schema’, but its not happening.

Looking into the function ‘rest_sanitize_value_from_schema’ on trac (rest-api.php lines 2471) it’s obvious why it is not sanitized because all strings are just casted to string!?

if ( 'string' === $args('type') ) {
    return (string) $value;

Is it me doing something wrong or is it a bug in ‘rest_sanitize_value_from_schema’.