You are here

Home » API reference » Drupal 8 » RequestSanitizer.php » RequestSanitizer

protected static function RequestSanitizer::processParameterBag in Drupal 8

Same name and namespace in other branches
  1. 9 core/lib/Drupal/Core/Security/RequestSanitizer.php \Drupal\Core\Security\RequestSanitizer::processParameterBag()

Processes a request parameter bag.

Parameters

\Symfony\Component\HttpFoundation\ParameterBag $bag: The parameter bag to process.

string[] $whitelist: An array of keys to whitelist as safe.

bool $log_sanitized_keys: Set to TRUE to log keys that are sanitized.

string $bag_name: The request parameter bag name. Either 'query', 'request' or 'cookies'.

string $message: The message to log if the parameter bag contains keys that are removed. If the message contains %s that is replaced by a list of removed keys.

Return value

bool TRUE if the parameter bag has been sanitized, FALSE if not.

1 call to RequestSanitizer::processParameterBag()
RequestSanitizer::sanitize in core/lib/Drupal/Core/Security/RequestSanitizer.php
Strips dangerous keys from user input.

File

core/lib/Drupal/Core/Security/RequestSanitizer.php, line 81

Class

RequestSanitizer
Sanitizes user input.

Namespace

Drupal\Core\Security

Code

protected static function processParameterBag(ParameterBag $bag, $whitelist, $log_sanitized_keys, $bag_name, $message) {
  $sanitized = FALSE;
  $sanitized_keys = [];
  $bag
    ->replace(static::stripDangerousValues($bag
    ->all(), $whitelist, $sanitized_keys));
  if (!empty($sanitized_keys)) {
    $sanitized = TRUE;
    if ($log_sanitized_keys) {
      trigger_error(sprintf($message, implode(', ', $sanitized_keys)));
    }
  }
  if ($bag
    ->has('destination')) {
    $destination = $bag
      ->get('destination');
    $destination_dangerous_keys = static::checkDestination($destination, $whitelist);
    if (!empty($destination_dangerous_keys)) {

      // The destination is removed rather than sanitized because the URL
      // generator service is not available and this method is called very
      // early in the bootstrap.
      $bag
        ->remove('destination');
      $sanitized = TRUE;
      if ($log_sanitized_keys) {
        trigger_error(sprintf('Potentially unsafe destination removed from %s parameter bag because it contained the following keys: %s', $bag_name, implode(', ', $destination_dangerous_keys)));
      }
    }

    // Sanitize the destination parameter (which is often used for redirects)
    // to prevent open redirect attacks leading to other domains.
    if (UrlHelper::isExternal($destination)) {

      // The destination is removed because it is an external URL.
      $bag
        ->remove('destination');
      $sanitized = TRUE;
      if ($log_sanitized_keys) {
        trigger_error(sprintf('Potentially unsafe destination removed from %s parameter bag because it points to an external URL.', $bag_name));
      }
    }
  }
  return $sanitized;
}