REST API: Implement strict validation for the settings controller. Fi…

[dev-alamin]

Description

This PR addresses the issue where the /wp/v2/settings endpoint returns a 200 OK even when sent unknown properties or an empty request body.

Changes:

Updated WP_REST_Settings_Controller::update_item to validate request parameters against registered settings.

Introduced a whitelist for "Infrastructure/Global" parameters (e.g., _locale, _wpnonce, _fields, _embed) to ensure backward compatibility and prevent breaking internal WordPress tools.

Returns a rest_invalid_param (400) if unknown parameters are passed in the JSON body or URL query string.

Returns a rest_empty_request (400) if the request does not contain any valid settings to update.

Why this approach works: Previous attempts were reverted because they broke requests using query parameters or global flags. By using an array_diff against a whitelist of registered options AND internal parameters, this patch provides strict validation without breaking existing ecosystem tools like Gutenberg or third-party clients.

Testing performed:

Added unit tests for empty bodies. Added unit tests for unknown properties in JSON bodies and URL query strings. Verified that global parameters (like _locale) still allow the request to succeed.

Trac ticket: https://core.trac.wordpress.org/ticket/41604