attributes->get(self::SANITIZED, FALSE)) { // Process query string parameters. $get_sanitized_keys = []; $request->query->replace(static::stripDangerousValues($request->query->all(), $whitelist, $get_sanitized_keys)); if ($log_sanitized_keys && !empty($get_sanitized_keys)) { trigger_error(sprintf('Potentially unsafe keys removed from query string parameters (GET): %s', implode(', ', $get_sanitized_keys))); } // Request body parameters. $post_sanitized_keys = []; $request->request->replace(static::stripDangerousValues($request->request->all(), $whitelist, $post_sanitized_keys)); if ($log_sanitized_keys && !empty($post_sanitized_keys)) { trigger_error(sprintf('Potentially unsafe keys removed from request body parameters (POST): %s', implode(', ', $post_sanitized_keys))); } // Cookie parameters. $cookie_sanitized_keys = []; $request->cookies->replace(static::stripDangerousValues($request->cookies->all(), $whitelist, $cookie_sanitized_keys)); if ($log_sanitized_keys && !empty($cookie_sanitized_keys)) { trigger_error(sprintf('Potentially unsafe keys removed from cookie parameters: %s', implode(', ', $cookie_sanitized_keys))); } if (!empty($get_sanitized_keys) || !empty($post_sanitized_keys) || !empty($cookie_sanitized_keys)) { $request->overrideGlobals(); } $request->attributes->set(self::SANITIZED, TRUE); } return $request; } /** * Strips dangerous keys from $input. * * @param mixed $input * The input to sanitize. * @param string[] $whitelist * An array of keys to whitelist as safe. * @param string[] $sanitized_keys * An array of keys that have been removed. * * @return mixed * The sanitized input. */ protected static function stripDangerousValues($input, array $whitelist, array &$sanitized_keys) { if (is_array($input)) { foreach ($input as $key => $value) { if ($key !== '' && $key[0] === '#' && !in_array($key, $whitelist, TRUE)) { unset($input[$key]); $sanitized_keys[] = $key; } else { $input[$key] = static::stripDangerousValues($input[$key], $whitelist, $sanitized_keys); } } } return $input; } }