ElementHelper::cleanseQueryCriteria()

brandonkelly · brandonkelly · commit 8cb817f4cf09 · 2026-02-11T16:09:04.000-08:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,7 @@
 > Relational condition rules’ element ID templates are now rendered in a sandboxed Twig environment, when `enableTwigSandbox` is enabled.
 
 - The `create()` Twig function now allows `craft\helpers\` classes to be created. ([#18376](https://github.com/craftcms/cms/discussions/18376))
+- Added `craft\helpers\ElementHelper::cleanseQueryCriteria()`.
 - Fixed an error that could occur when editing an element with a Table field. ([#18408](https://github.com/craftcms/cms/pull/18408))
 - Fixed a [high-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) RCE vulnerability. (GHSA-fp5j-j7j4-mcxc)
 
diff --git a/src/controllers/ElementIndexesController.php b/src/controllers/ElementIndexesController.php
@@ -605,20 +605,7 @@ protected function elementQuery(): ElementQueryInterface
             }
 
             // Remove unsupported criteria attributes
-            unset(
-                $criteria['where'],
-                $criteria['orderBy'],
-                $criteria['indexBy'],
-                $criteria['select'],
-                $criteria['selectOption'],
-                $criteria['from'],
-                $criteria['groupBy'],
-                $criteria['join'],
-                $criteria['having'],
-                $criteria['union'],
-                $criteria['withQueries'],
-                $criteria['params'],
-            );
+            ElementHelper::cleanseQueryCriteria($criteria);
 
             Craft::configure($query, Component::cleanseConfig($criteria));
         }
diff --git a/src/helpers/ElementHelper.php b/src/helpers/ElementHelper.php
@@ -840,4 +840,28 @@ public static function searchableAttributes(ElementInterface $element): array
         }
         return array_keys($searchableAttributes);
     }
+
+    /**
+     * Removes values from a posted element query criteria, which would typically not be user-editable.
+     *
+     * @since 4.17.4
+     */
+    public static function cleanseQueryCriteria(array $criteria): array
+    {
+        unset(
+            $criteria['where'],
+            $criteria['orderBy'],
+            $criteria['indexBy'],
+            $criteria['select'],
+            $criteria['selectOption'],
+            $criteria['from'],
+            $criteria['groupBy'],
+            $criteria['join'],
+            $criteria['having'],
+            $criteria['union'],
+            $criteria['withQueries'],
+            $criteria['params'],
+        );
+        return $criteria;
+    }
 }
