You are here

public function RequestSanitizerTest::testSanitizedDestinationGet in Drupal 9

Same name and namespace in other branches
  1. 8 core/tests/Drupal/Tests/Core/Security/RequestSanitizerTest.php \Drupal\Tests\Core\Security\RequestSanitizerTest::testSanitizedDestinationGet()

Tests unacceptable destinations are removed from GET requests.

@dataProvider providerTestSanitizedDestinations

Parameters

string $destination: The destination string to test.

File

core/tests/Drupal/Tests/Core/Security/RequestSanitizerTest.php, line 230

Class

RequestSanitizerTest
Tests RequestSanitizer class.

Namespace

Drupal\Tests\Core\Security

Code

public function testSanitizedDestinationGet($destination) {

  // Set up a GET request.
  $request = $this
    ->createRequestForTesting([
    'destination' => $destination,
  ]);
  $request = RequestSanitizer::sanitize($request, [], TRUE);
  $this
    ->assertNull($request->request
    ->get('destination', NULL));
  $this
    ->assertNull($request->query
    ->get('destination', NULL));
  $this
    ->assertArrayNotHasKey('destination', $_POST);
  $this
    ->assertArrayNotHasKey('destination', $_REQUEST);
  $this
    ->assertArrayNotHasKey('destination', $_GET);
  $this
    ->assertError('Potentially unsafe destination removed from query parameter bag because it points to an external URL.', E_USER_NOTICE);
}