To prevent issues like https://github.com/piwik/plugin-CustomDimensions/issues/62
I would say the current way of sanitizing all input is rather an anti pattern and causes lots of bugs.
We need to check if we can remove this behaviour. Problem is that some functionality may not work anymore 100% and we need to make sure that all values are properly escaped when using them to not run into any security issues after removing it. This will be lots of work and need to see if we can manage this in Piwik 4.
Maybe we could also try to make that step by step... we currently use
Common::getRequestVar() to get anything from the request object. We could introduce a new method directly returning the original request value (not sanitized) and start using that new method everywhere. So we could already deprecate the
Common::getRequestVar() and remove it in Piwik 4 completely
That's a great idea! For API there is likely not a workaround possible for now. We could do something crazy and allow underscores like
$_id which would equal
$id but unsanitized and later simply switch it the other way around in Piwik 4 but not sure if it's a good idea or not. Be definitely good to do this step by step to avoid a big refactoring and big PR that takes ages
not sure if we are using request vars with an underscore anywhere else than here, but that likely might cause problems when using such a "magic" thing. So maybe introducing a new method might be easier, but not sure re naming
Sorry I meant API parameters, not in
getRequestVar. Any API parameter is automatically sanitized. For
getRequestVar we should definitely use new method.