function DrupalRequestSanitizer::cleanDestination

Removes the destination if it is dangerous.

Note this can only be called after common.inc has been included.

Return value

bool TRUE if the destination has been removed from $_GET, FALSE if not.

2 calls to DrupalRequestSanitizer::cleanDestination()
RequestSanitizerTest::requestSanitizationTest in modules/simpletest/tests/request_sanitizer.test
Tests RequestSanitizer class.
_drupal_bootstrap_variables in includes/bootstrap.inc
Loads system variables and all enabled bootstrap modules.

File

includes/request-sanitizer.inc, line 62

Class

DrupalRequestSanitizer
Sanitizes user input from the request.

Code

public static function cleanDestination() {
    $dangerous_keys = array();
    $log_sanitized_keys = variable_get('sanitize_input_logging', FALSE);
    $parts = drupal_parse_url($_GET['destination']);
    // If there is a query string, check its query parameters.
    if (!empty($parts['query'])) {
        $whitelist = variable_get('sanitize_input_whitelist', array());
        self::stripDangerousValues($parts['query'], $whitelist, $dangerous_keys);
        if (!empty($dangerous_keys)) {
            // The destination is removed rather than sanitized to mirror the
            // handling of external destinations.
            unset($_GET['destination']);
            unset($_REQUEST['destination']);
            if ($log_sanitized_keys) {
                trigger_error(format_string('Potentially unsafe destination removed from query string parameters (GET) because it contained the following keys: @keys', array(
                    '@keys' => implode(', ', $dangerous_keys),
                )));
            }
            return TRUE;
        }
    }
    return FALSE;
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.