Does yii2 getQueryParam() sanitize values?

I’m a little unclear. Does getQueryParam() sanitize user input, or does it return raw data that needs to be sanitized via htmlspecialchars() after being called?

I didn’t see this in:

Looking at the framework source code at vendor/yiisoft/yii2/web/Request.php (and pasted below) it does not appear any sanitization is being performed.

    private $_queryParams;

     * Returns the request parameters given in the [[queryString]].
     * This method will return the contents of `$_GET` if params where not explicitly set.
     * @return array the request GET parameter values.
     * @see setQueryParams()
    public function getQueryParams()
        if ($this->_queryParams === null) {
            return $_GET;

        return $this->_queryParams;
1 Like

Okay, good to know. I’ll have to sanitize it manually. Thanks!