function RequestSanitizer::stripDangerousValues

Same name in other branches
  1. 9 core/lib/Drupal/Core/Security/RequestSanitizer.php \Drupal\Core\Security\RequestSanitizer::stripDangerousValues()
  2. 10 core/lib/Drupal/Core/Security/RequestSanitizer.php \Drupal\Core\Security\RequestSanitizer::stripDangerousValues()
  3. 11.x core/lib/Drupal/Core/Security/RequestSanitizer.php \Drupal\Core\Security\RequestSanitizer::stripDangerousValues()

Strips dangerous keys from $input.

Parameters

mixed $input: The input to sanitize.

string[] $whitelist: An array of keys to whitelist as safe.

string[] $sanitized_keys: An array of keys that have been removed.

Return value

mixed The sanitized input.

2 calls to RequestSanitizer::stripDangerousValues()
RequestSanitizer::checkDestination in core/lib/Drupal/Core/Security/RequestSanitizer.php
Checks a destination string to see if it is dangerous.
RequestSanitizer::processParameterBag in core/lib/Drupal/Core/Security/RequestSanitizer.php
Processes a request parameter bag.

File

core/lib/Drupal/Core/Security/RequestSanitizer.php, line 153

Class

RequestSanitizer
Sanitizes user input.

Namespace

Drupal\Core\Security

Code

protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) {
    if (is_array($input)) {
        foreach ($input as $key => $value) {
            if ($key !== '' && ((string) $key)[0] === '#' && !in_array($key, $whitelist, TRUE)) {
                unset($input[$key]);
                $sanitized_keys[] = $key;
            }
            else {
                $input[$key] = static::stripDangerousValues($input[$key], $whitelist, $sanitized_keys);
            }
        }
    }
    return $input;
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.