You are here

public static function RequestSanitizer::sanitize in Drupal 8

Same name and namespace in other branches
  1. 9 core/lib/Drupal/Core/Security/RequestSanitizer.php \Drupal\Core\Security\RequestSanitizer::sanitize()

Strips dangerous keys from user input.

Parameters

\Symfony\Component\HttpFoundation\Request $request: The incoming request to sanitize.

string[] $whitelist: An array of keys to whitelist as safe. See default.settings.php.

bool $log_sanitized_keys: (optional) Set to TRUE to log keys that are sanitized.

Return value

\Symfony\Component\HttpFoundation\Request The sanitized request.

6 calls to RequestSanitizer::sanitize()
DrupalKernel::preHandle in core/lib/Drupal/Core/DrupalKernel.php
Helper method that does request related initialization.
RequestSanitizerTest::testAcceptableDestinationGet in core/tests/Drupal/Tests/Core/Security/RequestSanitizerTest.php
Tests acceptable destinations are not removed from GET requests.
RequestSanitizerTest::testAcceptableDestinationPost in core/tests/Drupal/Tests/Core/Security/RequestSanitizerTest.php
Tests acceptable destinations are not removed from POST requests.
RequestSanitizerTest::testRequestSanitization in core/tests/Drupal/Tests/Core/Security/RequestSanitizerTest.php
Tests RequestSanitizer class.
RequestSanitizerTest::testSanitizedDestinationGet in core/tests/Drupal/Tests/Core/Security/RequestSanitizerTest.php
Tests unacceptable destinations are removed from GET requests.

... See full list

File

core/lib/Drupal/Core/Security/RequestSanitizer.php, line 42

Class

RequestSanitizer
Sanitizes user input.

Namespace

Drupal\Core\Security

Code

public static function sanitize(Request $request, $whitelist, $log_sanitized_keys = FALSE) {
  if (!$request->attributes
    ->get(self::SANITIZED, FALSE)) {
    $update_globals = FALSE;
    $bags = [
      'query' => 'Potentially unsafe keys removed from query string parameters (GET): %s',
      'request' => 'Potentially unsafe keys removed from request body parameters (POST): %s',
      'cookies' => 'Potentially unsafe keys removed from cookie parameters: %s',
    ];
    foreach ($bags as $bag => $message) {
      if (static::processParameterBag($request->{$bag}, $whitelist, $log_sanitized_keys, $bag, $message)) {
        $update_globals = TRUE;
      }
    }
    if ($update_globals) {
      $request
        ->overrideGlobals();
    }
    $request->attributes
      ->set(self::SANITIZED, TRUE);
  }
  return $request;
}