Introduction
This new feature suggestion comes from a custom rules set dedicated to PHP and Drupal 8 security.
Description
In the Form API, using data from $form_state->getUserInput()
is a security risk.
Use data from $form_state->values
instead.
Impact
getUserInput() return raw, unvalidated form values than may lead to injection attacks.
Noncompliant Code Example
$email = $form_state->getUserInput('email');
Compliant Code Example
$email = $form_state->values('email');
References
- MITRE CWE-20 - Improper Input Validation
- OWASP Top 10 2017 Category A1 - Injection
Type
Vulnerability
Tags
cwe, owasp-a1, drupal