You are here

function XssUnitTest::testBadProtocolStripping in Zircon Profile 8

Same name and namespace in other branches
  1. 8.0 core/modules/system/src/Tests/Common/XssUnitTest.php \Drupal\system\Tests\Common\XssUnitTest::testBadProtocolStripping()

Checks that harmful protocols are stripped.

File

core/modules/system/src/Tests/Common/XssUnitTest.php, line 48
Contains \Drupal\system\Tests\Common\XssUnitTest.

Class

XssUnitTest
Confirm that \Drupal\Component\Utility\Xss::filter() and check_url() work correctly, including invalid multi-byte sequences.

Namespace

Drupal\system\Tests\Common

Code

function testBadProtocolStripping() {

  // Ensure that check_url() strips out harmful protocols, and encodes for
  // HTML.
  // Ensure \Drupal\Component\Utility\UrlHelper::stripDangerousProtocols() can
  // be used to return a plain-text string stripped of harmful protocols.
  $url = 'javascript:http://www.example.com/?x=1&y=2';
  $expected_plain = 'http://www.example.com/?x=1&y=2';
  $expected_html = 'http://www.example.com/?x=1&y=2';
  $this
    ->assertIdentical(check_url($url), $expected_html, 'check_url() filters a URL and encodes it for HTML.');
  $this
    ->assertIdentical(UrlHelper::filterBadProtocol($url), $expected_html, '\\Drupal\\Component\\Utility\\UrlHelper::filterBadProtocol() filters a URL and encodes it for HTML.');
  $this
    ->assertIdentical(UrlHelper::stripDangerousProtocols($url), $expected_plain, '\\Drupal\\Component\\Utility\\UrlHelper::stripDangerousProtocols() filters a URL and returns plain text.');
}