rest_sanitize_value_from_schema doesn’t sanitize string

This is a part of a simplified piece of code. It accepts a JSON post, validates it against a schema and if ok, sanitize the JSON structure

$  schema = array(         'type'       => 'object',         'properties' => array(             'email' => array(                 'type'   => 'string',                 'format' => 'email',             ),             'name'  => array(                 'type' => 'string',             ),         ),     );      $  json = json_decode( '{"email":"info@test.com","name":"John <script>x.js</script>Doe"}', true );      $  result = rest_validate_value_from_schema( $  json, $  schema );     if ( is_wp_error( $  result ) ) {         echo 'Error';         die();     }      $  clean = rest_sanitize_value_from_schema( $  json, $  schema ); 

I’m expecting that the <script>x.js</script>part is stripped from the JSON-name field in ‘rest_sanitize_value_from schema’, but its not happening.

Looking into the function ‘rest_sanitize_value_from_schema’ on trac (rest-api.php lines 2471) it’s obvious why it is not sanitized because all strings are just casted to string!?

if ( 'string' === $  args['type'] ) {     return (string) $  value; } 

Is it me doing something wrong or is it a bug in ‘rest_sanitize_value_from_schema’.