function RequestSanitizer::processParameterBag
Same name in other branches
- 8.9.x core/lib/Drupal/Core/Security/RequestSanitizer.php \Drupal\Core\Security\RequestSanitizer::processParameterBag()
- 10 core/lib/Drupal/Core/Security/RequestSanitizer.php \Drupal\Core\Security\RequestSanitizer::processParameterBag()
- 11.x core/lib/Drupal/Core/Security/RequestSanitizer.php \Drupal\Core\Security\RequestSanitizer::processParameterBag()
Processes a request parameter bag.
Parameters
\Symfony\Component\HttpFoundation\ParameterBag $bag: The parameter bag to process.
string[] $safe_keys: An array of keys to consider safe.
bool $log_sanitized_keys: Set to TRUE to log keys that are sanitized.
string $bag_name: The request parameter bag name. Either 'query', 'request' or 'cookies'.
string $message: The message to log if the parameter bag contains keys that are removed. If the message contains %s that is replaced by a list of removed keys.
Return value
bool TRUE if the parameter bag has been sanitized, FALSE if not.
1 call to RequestSanitizer::processParameterBag()
- RequestSanitizer::sanitize in core/
lib/ Drupal/ Core/ Security/ RequestSanitizer.php - Strips dangerous keys from user input.
File
-
core/
lib/ Drupal/ Core/ Security/ RequestSanitizer.php, line 90
Class
- RequestSanitizer
- Sanitizes user input.
Namespace
Drupal\Core\SecurityCode
protected static function processParameterBag(ParameterBag $bag, array $safe_keys, $log_sanitized_keys, $bag_name, $message) {
$sanitized = FALSE;
$sanitized_keys = [];
$bag->replace(static::stripDangerousValues($bag->all(), $safe_keys, $sanitized_keys));
if (!empty($sanitized_keys)) {
$sanitized = TRUE;
if ($log_sanitized_keys) {
trigger_error(sprintf($message, implode(', ', $sanitized_keys)));
}
}
if ($bag->has('destination')) {
$destination = $bag->get('destination');
$destination_dangerous_keys = static::checkDestination($destination, $safe_keys);
if (!empty($destination_dangerous_keys)) {
// The destination is removed rather than sanitized because the URL
// generator service is not available and this method is called very
// early in the bootstrap.
$bag->remove('destination');
$sanitized = TRUE;
if ($log_sanitized_keys) {
trigger_error(sprintf('Potentially unsafe destination removed from %s parameter bag because it contained the following keys: %s', $bag_name, implode(', ', $destination_dangerous_keys)));
}
}
// Sanitize the destination parameter (which is often used for redirects)
// to prevent open redirect attacks leading to other domains.
if (UrlHelper::isExternal($destination)) {
// The destination is removed because it is an external URL.
$bag->remove('destination');
$sanitized = TRUE;
if ($log_sanitized_keys) {
trigger_error(sprintf('Potentially unsafe destination removed from %s parameter bag because it points to an external URL.', $bag_name));
}
}
}
return $sanitized;
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.