You are here

Home » API reference » Drupal 7 » request-sanitizer.inc » DrupalRequestSanitizer

public static function DrupalRequestSanitizer::cleanDestination in Drupal 7

Removes the destination if it is dangerous.

Note this can only be called after common.inc has been included.

Return value

bool TRUE if the destination has been removed from $_GET, FALSE if not.

2 calls to DrupalRequestSanitizer::cleanDestination()
RequestSanitizerTest::requestSanitizationTest in modules/simpletest/tests/request_sanitizer.test
Tests RequestSanitizer class.
_drupal_bootstrap_variables in includes/bootstrap.inc
Loads system variables and all enabled bootstrap modules.

File

includes/request-sanitizer.inc, line 62
Contains code for sanitizing user input from the request.

Class

DrupalRequestSanitizer
Sanitizes user input from the request.

Code

public static function cleanDestination() {
  $dangerous_keys = array();
  $log_sanitized_keys = variable_get('sanitize_input_logging', FALSE);
  $parts = drupal_parse_url($_GET['destination']);

  // If there is a query string, check its query parameters.
  if (!empty($parts['query'])) {
    $whitelist = variable_get('sanitize_input_whitelist', array());
    self::stripDangerousValues($parts['query'], $whitelist, $dangerous_keys);
    if (!empty($dangerous_keys)) {

      // The destination is removed rather than sanitized to mirror the
      // handling of external destinations.
      unset($_GET['destination']);
      unset($_REQUEST['destination']);
      if ($log_sanitized_keys) {
        trigger_error(format_string('Potentially unsafe destination removed from query string parameters (GET) because it contained the following keys: @keys', array(
          '@keys' => implode(', ', $dangerous_keys),
        )));
      }
      return TRUE;
    }
  }
  return FALSE;
}