[Drupal] Form API unsanitized user input should not be used

Introduction
This new feature suggestion comes from a custom rules set dedicated to PHP and Drupal 8 security.

Description
In the Form API, using data from $form_state->getUserInput() is a security risk.
Use data from $form_state->values instead.

Impact
getUserInput() return raw, unvalidated form values than may lead to injection attacks.

Noncompliant Code Example

$email = $form_state->getUserInput('email');

Compliant Code Example

$email = $form_state->values('email');

References

Type
Vulnerability

Tags
cwe, owasp-a1, drupal

Hello @Pierre-Loup,

thanks for the suggestion and sorry for the late reply. We are working on new security oriented rules for PHP, and this is quite interesting for us. For now we are focusing on basic injection rules, but we will consider it bit later, perhaps in Q2.

1 Like