You are here

public function ExternalFormUrlTest::testActionUrlBehavior in Zircon Profile 8

Same name and namespace in other branches
  1. 8.0 core/modules/system/src/Tests/Form/ExternalFormUrlTest.php \Drupal\system\Tests\Form\ExternalFormUrlTest::testActionUrlBehavior()

Tests form behaviour.

File

core/modules/system/src/Tests/Form/ExternalFormUrlTest.php, line 76
Contains \Drupal\system\Tests\Form\ExternalFormUrlTest.

Class

ExternalFormUrlTest
Ensures that form actions can't be tricked into sending to external URLs.

Namespace

Drupal\system\Tests\Form

Code

public function testActionUrlBehavior() {

  // Create a new request which has a request uri with multiple leading
  // slashes and make it the master request.
  $request_stack = \Drupal::service('request_stack');
  $original_request = $request_stack
    ->pop();
  $request = Request::create($original_request
    ->getSchemeAndHttpHost() . '//example.org');
  $request_stack
    ->push($request);
  $form = \Drupal::formBuilder()
    ->getForm($this);
  $markup = \Drupal::service('renderer')
    ->renderRoot($form);
  $this
    ->setRawContent($markup);
  $elements = $this
    ->xpath('//form/@action');
  $action = (string) $elements[0];
  $this
    ->assertEqual($original_request
    ->getSchemeAndHttpHost() . '//example.org', $action);

  // Create a new request which has a request uri with a single leading slash
  // and make it the master request.
  $request_stack = \Drupal::service('request_stack');
  $original_request = $request_stack
    ->pop();
  $request = Request::create($original_request
    ->getSchemeAndHttpHost() . '/example.org');
  $request_stack
    ->push($request);
  $form = \Drupal::formBuilder()
    ->getForm($this);
  $markup = \Drupal::service('renderer')
    ->renderRoot($form);
  $this
    ->setRawContent($markup);
  $elements = $this
    ->xpath('//form/@action');
  $action = (string) $elements[0];
  $this
    ->assertEqual('/example.org', $action);
}