public RedirectResponseSubscriber::sanitizeDestination(GetResponseEvent $event)
Sanitize the destination parameter to prevent open redirect attacks.
Parameters
\Symfony\Component\HttpKernel\Event\GetResponseEvent $event: The Event to process.
File
- core/lib/Drupal/Core/EventSubscriber/RedirectResponseSubscriber.php, line 138
Class
- RedirectResponseSubscriber
- Allows manipulation of the response object when performing a redirect.
Namespace
Drupal\Core\EventSubscriber
Code
public function sanitizeDestination(GetResponseEvent $event) {
$request = $event->getRequest();
// Sanitize the destination parameter (which is often used for redirects) to
// prevent open redirect attacks leading to other domains. Sanitize both
// $_GET['destination'] and $_REQUEST['destination'] to protect code that
// relies on either, but do not sanitize $_POST to avoid interfering with
// unrelated form submissions. The sanitization happens here because
// url_is_external() requires the variable system to be available.
$query_info = $request->query;
$request_info = $request->request;
if ($query_info->has('destination') || $request_info->has('destination')) {
// If the destination is an external URL, remove it.
if ($query_info->has('destination') && UrlHelper::isExternal($query_info->get('destination'))) {
$query_info->remove('destination');
$request_info->remove('destination');
}
// If there's still something in $_REQUEST['destination'] that didn't come
// from $_GET, check it too.
if ($request_info->has('destination') && (!$query_info->has('destination') || $request_info->get('destination') != $query_info->get('destination')) && UrlHelper::isExternal($request_info->get('destination'))) {
$request_info->remove('destination');
}
}
}
Please login to continue.