function UrlTest::testLinkXSS in Zircon Profile 8
Same name and namespace in other branches
- 8.0 core/modules/system/src/Tests/Common/UrlTest.php \Drupal\system\Tests\Common\UrlTest::testLinkXSS()
Confirms that invalid URLs are filtered in link generating functions.
File
- core/
modules/ system/ src/ Tests/ Common/ UrlTest.php, line 33 - Contains \Drupal\system\Tests\Common\UrlTest.
Class
- UrlTest
- Confirm that \Drupal\Core\Url, \Drupal\Component\Utility\UrlHelper::filterQueryParameters(), \Drupal\Component\Utility\UrlHelper::buildQuery(), and \Drupal\Core\Utility\LinkGeneratorInterface::generate() work correctly with various input.
Namespace
Drupal\system\Tests\CommonCode
function testLinkXSS() {
// Test \Drupal::l().
$text = $this
->randomMachineName();
$path = "<SCRIPT>alert('XSS')</SCRIPT>";
$encoded_path = "3CSCRIPT%3Ealert%28%27XSS%27%29%3C/SCRIPT%3E";
$link = \Drupal::l($text, Url::fromUserInput('/' . $path));
$this
->assertTrue(strpos($link, $encoded_path) !== FALSE && strpos($link, $path) === FALSE, format_string('XSS attack @path was filtered by \\Drupal\\Core\\Utility\\LinkGeneratorInterface::generate().', array(
'@path' => $path,
)));
// Test \Drupal\Core\Url.
$link = Url::fromUri('base:' . $path)
->toString();
$this
->assertTrue(strpos($link, $encoded_path) !== FALSE && strpos($link, $path) === FALSE, format_string('XSS attack @path was filtered by #theme', [
'@path' => $path,
]));
}