function CommonXssUnitTest::testBadProtocolStripping in Drupal 7
Check that harmful protocols are stripped.
File
- modules/
simpletest/ tests/ common.test, line 526 - Tests for common.inc functionality.
Class
- CommonXssUnitTest
- Tests for check_plain(), filter_xss(), format_string(), and check_url().
Code
function testBadProtocolStripping() {
// Ensure that check_url() strips out harmful protocols, and encodes for
// HTML. Ensure drupal_strip_dangerous_protocols() can be used to return a
// plain-text string stripped of harmful protocols.
$url = 'javascript:http://www.example.com/?x=1&y=2';
$expected_plain = 'http://www.example.com/?x=1&y=2';
$expected_html = 'http://www.example.com/?x=1&y=2';
$this
->assertIdentical(check_url($url), $expected_html, 'check_url() filters a URL and encodes it for HTML.');
$this
->assertIdentical(drupal_strip_dangerous_protocols($url), $expected_plain, 'drupal_strip_dangerous_protocols() filters a URL and returns plain text.');
}