function RequestSanitizer::processParameterBag

Same name in other branches
  1. 8.9.x core/lib/Drupal/Core/Security/RequestSanitizer.php \Drupal\Core\Security\RequestSanitizer::processParameterBag()
  2. 10 core/lib/Drupal/Core/Security/RequestSanitizer.php \Drupal\Core\Security\RequestSanitizer::processParameterBag()
  3. 11.x core/lib/Drupal/Core/Security/RequestSanitizer.php \Drupal\Core\Security\RequestSanitizer::processParameterBag()

Processes a request parameter bag.

Parameters

\Symfony\Component\HttpFoundation\ParameterBag $bag: The parameter bag to process.

string[] $safe_keys: An array of keys to consider safe.

bool $log_sanitized_keys: Set to TRUE to log keys that are sanitized.

string $bag_name: The request parameter bag name. Either 'query', 'request' or 'cookies'.

string $message: The message to log if the parameter bag contains keys that are removed. If the message contains %s that is replaced by a list of removed keys.

Return value

bool TRUE if the parameter bag has been sanitized, FALSE if not.

1 call to RequestSanitizer::processParameterBag()
RequestSanitizer::sanitize in core/lib/Drupal/Core/Security/RequestSanitizer.php
Strips dangerous keys from user input.

File

core/lib/Drupal/Core/Security/RequestSanitizer.php, line 90

Class

RequestSanitizer
Sanitizes user input.

Namespace

Drupal\Core\Security

Code

protected static function processParameterBag(ParameterBag $bag, array $safe_keys, $log_sanitized_keys, $bag_name, $message) {
    $sanitized = FALSE;
    $sanitized_keys = [];
    $bag->replace(static::stripDangerousValues($bag->all(), $safe_keys, $sanitized_keys));
    if (!empty($sanitized_keys)) {
        $sanitized = TRUE;
        if ($log_sanitized_keys) {
            trigger_error(sprintf($message, implode(', ', $sanitized_keys)));
        }
    }
    if ($bag->has('destination')) {
        $destination = $bag->get('destination');
        $destination_dangerous_keys = static::checkDestination($destination, $safe_keys);
        if (!empty($destination_dangerous_keys)) {
            // The destination is removed rather than sanitized because the URL
            // generator service is not available and this method is called very
            // early in the bootstrap.
            $bag->remove('destination');
            $sanitized = TRUE;
            if ($log_sanitized_keys) {
                trigger_error(sprintf('Potentially unsafe destination removed from %s parameter bag because it contained the following keys: %s', $bag_name, implode(', ', $destination_dangerous_keys)));
            }
        }
        // Sanitize the destination parameter (which is often used for redirects)
        // to prevent open redirect attacks leading to other domains.
        if (UrlHelper::isExternal($destination)) {
            // The destination is removed because it is an external URL.
            $bag->remove('destination');
            $sanitized = TRUE;
            if ($log_sanitized_keys) {
                trigger_error(sprintf('Potentially unsafe destination removed from %s parameter bag because it points to an external URL.', $bag_name));
            }
        }
    }
    return $sanitized;
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.