You are here

abstract class SecuredRedirectResponse in Drupal 9

Same name and namespace in other branches
  1. 8 core/lib/Drupal/Component/HttpFoundation/SecuredRedirectResponse.php \Drupal\Component\HttpFoundation\SecuredRedirectResponse

Provides a common base class for safe redirects.

In case you want to redirect to external URLs use TrustedRedirectResponse.

For local URLs we use LocalRedirectResponse which opts out of external redirects.

Hierarchy

  • class \Drupal\Component\HttpFoundation\SecuredRedirectResponse extends \Symfony\Component\HttpFoundation\RedirectResponse

Expanded class hierarchy of SecuredRedirectResponse

3 files declare their use of SecuredRedirectResponse
CacheableSecuredRedirectResponse.php in core/lib/Drupal/Core/Routing/CacheableSecuredRedirectResponse.php
RedirectResponseSubscriber.php in core/lib/Drupal/Core/EventSubscriber/RedirectResponseSubscriber.php
SecuredRedirectResponseTest.php in core/tests/Drupal/Tests/Component/HttpFoundation/SecuredRedirectResponseTest.php
Contains \Drupal\Tests\Component\HttpFoundation\SecuredRedirectResponseTest.

File

core/lib/Drupal/Component/HttpFoundation/SecuredRedirectResponse.php, line 16

Namespace

Drupal\Component\HttpFoundation
View source
abstract class SecuredRedirectResponse extends RedirectResponse {

  /**
   * Copies an existing redirect response into a safe one.
   *
   * The safe one cannot accidentally redirect to an external URL, unless
   * actively wanted (see TrustedRedirectResponse).
   *
   * @param \Symfony\Component\HttpFoundation\RedirectResponse $response
   *   The original redirect.
   *
   * @return static
   */
  public static function createFromRedirectResponse(RedirectResponse $response) {
    $safe_response = new static($response
      ->getTargetUrl(), $response
      ->getStatusCode(), $response->headers
      ->allPreserveCase());
    $safe_response
      ->fromResponse($response);
    return $safe_response;
  }

  /**
   * Copies over the values from the given response.
   *
   * @param \Symfony\Component\HttpFoundation\RedirectResponse $response
   *   The redirect response object.
   */
  protected function fromResponse(RedirectResponse $response) {
    $this
      ->setProtocolVersion($response
      ->getProtocolVersion());
    if ($response
      ->getCharset()) {
      $this
        ->setCharset($response
        ->getCharset());
    }

    // Cookies are separate from other headers and have to be copied over
    // directly.
    foreach ($response->headers
      ->getCookies() as $cookie) {
      $this->headers
        ->setCookie($cookie);
    }
  }

  /**
   * {@inheritdoc}
   */
  public function setTargetUrl($url) {
    if (!$this
      ->isSafe($url)) {
      throw new \InvalidArgumentException(sprintf('It is not safe to redirect to %s', $url));
    }
    return parent::setTargetUrl($url);
  }

  /**
   * Returns whether the URL is considered as safe to redirect to.
   *
   * @param string $url
   *   The URL checked for safety.
   *
   * @return bool
   */
  protected abstract function isSafe($url);

}

Members

Namesort descending Modifiers Type Description Overrides
SecuredRedirectResponse::createFromRedirectResponse public static function Copies an existing redirect response into a safe one.
SecuredRedirectResponse::fromResponse protected function Copies over the values from the given response. 1
SecuredRedirectResponse::isSafe abstract protected function Returns whether the URL is considered as safe to redirect to. 2
SecuredRedirectResponse::setTargetUrl public function