Currently, any part of Matomo (including core, core plugins, 3rd party plugins) can and do use the
$_GET/$_POST variables directly, to either change the context in which other code runs (like changing the site/date), or to read query params directly.
This is not desirable, since it can lead to instances where
$_GET has one value and
$_POST has another. Or instances where reading it directly can bypass sanitization. Which can create odd, hard to diagnose bugs, or even potential security vulnerabilities.
To fix this, we should:
Common::getRequestVarinstead of using the superglobals)
Would have to be done for matomo 4.