[Drupal] Form API unsanitized user input should not be used

php

(Pierre-Loup Tristant) #1

Introduction
This new feature suggestion comes from a custom rules set dedicated to PHP and Drupal 8 security.

Description
In the Form API, using data from $form_state->getUserInput() is a security risk.
Use data from $form_state->values instead.

Impact
getUserInput() return raw, unvalidated form values than may lead to injection attacks.

Noncompliant Code Example

$email = $form_state->getUserInput('email');

Compliant Code Example

$email = $form_state->values('email');

References

Type
Vulnerability

Tags
cwe, owasp-a1, drupal