You are here

public function DestinationTest::testDestination in Zircon Profile 8

Same name and namespace in other branches
  1. 8.0 core/modules/system/src/Tests/Routing/DestinationTest.php \Drupal\system\Tests\Routing\DestinationTest::testDestination()

Tests that $_GET/$_REQUEST['destination'] only contain internal URLs.

File

core/modules/system/src/Tests/Routing/DestinationTest.php, line 33
Contains \Drupal\system\Tests\Routing\DestinationTest.

Class

DestinationTest
Tests for $_GET['destination'] and $_REQUEST['destination'] validation.

Namespace

Drupal\system\Tests\Routing

Code

public function testDestination() {
  $test_cases = [
    [
      'input' => 'node',
      'output' => 'node',
      'message' => "Standard internal example node path is present in the 'destination' parameter.",
    ],
    [
      'input' => '/example.com',
      'output' => '/example.com',
      'message' => 'Internal path with one leading slash is allowed.',
    ],
    [
      'input' => '//example.com/test',
      'output' => '',
      'message' => 'External URL without scheme is not allowed.',
    ],
    [
      'input' => 'example:test',
      'output' => 'example:test',
      'message' => 'Internal URL using a colon is allowed.',
    ],
    [
      'input' => 'http://example.com',
      'output' => '',
      'message' => 'External URL is not allowed.',
    ],
    [
      'input' => 'javascript:alert(0)',
      'output' => 'javascript:alert(0)',
      'message' => 'Javascript URL is allowed because it is treated as an internal URL.',
    ],
  ];
  foreach ($test_cases as $test_case) {

    // Test $_GET['destination'].
    $this
      ->drupalGet('system-test/get-destination', [
      'query' => [
        'destination' => $test_case['input'],
      ],
    ]);
    $this
      ->assertIdentical($test_case['output'], $this
      ->getRawContent(), $test_case['message']);

    // Test $_REQUEST['destination'].
    $post_output = $this
      ->drupalPost('system-test/request-destination', '*', [
      'destination' => $test_case['input'],
    ]);
    $this
      ->assertIdentical($test_case['output'], $post_output, $test_case['message']);
  }

  // Make sure that 404 pages do not populate $_GET['destination'] with
  // external URLs.
  \Drupal::configFactory()
    ->getEditable('system.site')
    ->set('page.404', 'system-test/get-destination')
    ->save();
  $this
    ->drupalGet('http://example.com', [
    'external' => FALSE,
  ]);
  $this
    ->assertResponse(404);
  $this
    ->assertIdentical(Url::fromRoute('<front>')
    ->toString(), $this
    ->getRawContent(), 'External URL is not allowed on 404 pages.');
}