Problem/Motivation
To fix https://www.drupal.org/sa-core-2018-002 we introduced the \Drupal\Core\Security\RequestSanitizer. We added functionality to it in https://www.drupal.org/sa-core-2018-004 and https://www.drupal.org/sa-core-2018-006. As part of fixing https://www.drupal.org/sa-core-2018-006 it was discussed whether or not this was the right way to go.
@catch wrote:
I'm not sure about moving this to here, the original idea of the request sanitizer was to obfuscate the form API fix (which we'd eventually harden against properly in the public queue).
It's a lot tidier than the code in the RedirectResponseSubscriber but not really sure about putting more functionality into the request sanitizer.
Having said all that, this is something that should be discussed in the public queue so fine with a public follow-up for it either way.
Proposed resolution
Discuss the desired architecture for the RequestSanitizer
Remaining tasks
User interface changes
None
API changes
tbd
Data model changes
None
Comments