Clarify in the docs that RequestSanitizer should not be depended on for security

Created on 28 March 2018, about 7 years ago

Updated 13 May 2025, 4 days ago

Problem/Motivation

I think if you are looking at RequestSanitizer with docblocks like:

Strips dangerous keys from user input.

We shouldn't send the message that user input in the request object is actually safe (or safer?) or sanitized. While this may sanitize the exact class of injection for SA-CORE-2018-002, other classes of exploit wont (and shouldn't) be filtered here.

Proposed resolution

Clarify in the docs (or name of class/method) that RequestSanitizer is not general sanitization/protection/security.

Remaining tasks

User interface changes

API changes

Data model changes

📌 Task

Status

Active

Version

11.0 🔥

Component

request processing system

Created by

🇦🇺Australia Sam152

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 4 days ago →
🇦🇺Australia mstrelan

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024