View source
<?php
namespace Drupal\Tests\system\Functional\Routing;
use Drupal\Core\Url;
use Drupal\Tests\BrowserTestBase;
class DestinationTest extends BrowserTestBase {
protected static $modules = [
'system_test',
];
protected $defaultTheme = 'stark';
public function testDestination() {
$http_client = $this
->getHttpClient();
$session = $this
->getSession();
$test_cases = [
[
'input' => 'node',
'output' => 'node',
'message' => "Standard internal example node path is present in the 'destination' parameter.",
],
[
'input' => '/example.com',
'output' => '/example.com',
'message' => 'Internal path with one leading slash is allowed.',
],
[
'input' => '//example.com/test',
'output' => '',
'message' => 'External URL without scheme is not allowed.',
],
[
'input' => 'example:test',
'output' => 'example:test',
'message' => 'Internal URL using a colon is allowed.',
],
[
'input' => 'http://example.com',
'output' => '',
'message' => 'External URL is not allowed.',
],
[
'input' => 'javascript:alert(0)',
'output' => 'javascript:alert(0)',
'message' => 'JavaScript URL is allowed because it is treated as an internal URL.',
],
];
foreach ($test_cases as $test_case) {
$this
->drupalGet('system-test/get-destination', [
'query' => [
'destination' => $test_case['input'],
],
]);
$this
->assertSame($test_case['output'], $session
->getPage()
->getContent(), $test_case['message']);
$post_output = $http_client
->request('POST', $this
->buildUrl('system-test/request-destination'), [
'form_params' => [
'destination' => $test_case['input'],
],
]);
$this
->assertSame($test_case['output'], (string) $post_output
->getBody(), $test_case['message']);
}
\Drupal::configFactory()
->getEditable('system.site')
->set('page.404', '/system-test/get-destination')
->save();
$this
->drupalGet('http://example.com', [
'external' => FALSE,
]);
$this
->assertSession()
->statusCodeEquals(404);
$this
->assertSame(Url::fromRoute('<front>')
->toString(), $session
->getPage()
->getContent(), 'External URL is not allowed on 404 pages.');
}
}