public static function DrupalRequestSanitizer::sanitize in Drupal 7
Modifies the request to strip dangerous keys from user input.
2 calls to DrupalRequestSanitizer::sanitize()
- RequestSanitizerTest::requestSanitizationTest in modules/
simpletest/ tests/ request_sanitizer.test - Tests RequestSanitizer class.
- _drupal_bootstrap_configuration in includes/
bootstrap.inc - Sets up the script environment and loads settings.php.
File
- includes/
request-sanitizer.inc, line 21 - Contains code for sanitizing user input from the request.
Class
- DrupalRequestSanitizer
- Sanitizes user input from the request.
Code
public static function sanitize() {
if (!self::$sanitized) {
$whitelist = variable_get('sanitize_input_whitelist', array());
$log_sanitized_keys = variable_get('sanitize_input_logging', FALSE);
// Process query string parameters.
$get_sanitized_keys = array();
$_GET = self::stripDangerousValues($_GET, $whitelist, $get_sanitized_keys);
if ($log_sanitized_keys && $get_sanitized_keys) {
_drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from query string parameters (GET): @keys', array(
'@keys' => implode(', ', $get_sanitized_keys),
)), E_USER_NOTICE);
}
// Process request body parameters.
$post_sanitized_keys = array();
$_POST = self::stripDangerousValues($_POST, $whitelist, $post_sanitized_keys);
if ($log_sanitized_keys && $post_sanitized_keys) {
_drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from request body parameters (POST): @keys', array(
'@keys' => implode(', ', $post_sanitized_keys),
)), E_USER_NOTICE);
}
// Process cookie parameters.
$cookie_sanitized_keys = array();
$_COOKIE = self::stripDangerousValues($_COOKIE, $whitelist, $cookie_sanitized_keys);
if ($log_sanitized_keys && $cookie_sanitized_keys) {
_drupal_trigger_error_with_delayed_logging(format_string('Potentially unsafe keys removed from cookie parameters (COOKIE): @keys', array(
'@keys' => implode(', ', $cookie_sanitized_keys),
)), E_USER_NOTICE);
}
$request_sanitized_keys = array();
$_REQUEST = self::stripDangerousValues($_REQUEST, $whitelist, $request_sanitized_keys);
self::$sanitized = TRUE;
}
}