[Drupal] Form API unsanitized user input should not be used

php

(Pierre-Loup Tristant) #1

Introduction
This new feature suggestion comes from a custom rules set dedicated to PHP and Drupal 8 security.

Description
In the Form API, using data from $form_state->getUserInput() is a security risk.
Use data from $form_state->values instead.

Impact
getUserInput() return raw, unvalidated form values than may lead to injection attacks.

Noncompliant Code Example

$email = $form_state->getUserInput('email');

Compliant Code Example

$email = $form_state->values('email');

References

Type
Vulnerability

Tags
cwe, owasp-a1, drupal


(Tibor Blenessy) #5

Hello @Pierre-Loup,

thanks for the suggestion and sorry for the late reply. We are working on new security oriented rules for PHP, and this is quite interesting for us. For now we are focusing on basic injection rules, but we will consider it bit later, perhaps in Q2.