function UrlTest::testLinkXSS
Same name and namespace in other branches
- 9 core/modules/system/tests/src/Kernel/Common/UrlTest.php \Drupal\Tests\system\Kernel\Common\UrlTest::testLinkXSS()
- 10 core/modules/system/tests/src/Kernel/Common/UrlTest.php \Drupal\Tests\system\Kernel\Common\UrlTest::testLinkXSS()
- 11.x core/modules/system/tests/src/Kernel/Common/UrlTest.php \Drupal\Tests\system\Kernel\Common\UrlTest::testLinkXSS()
Confirms that invalid URLs are filtered in link generating functions.
File
-
core/
modules/ system/ tests/ src/ Functional/ Common/ UrlTest.php, line 35
Class
- UrlTest
- Confirm that <a href="/api/drupal/core%21lib%21Drupal%21Core%21Url.php/class/Url/8.9.x" title="Defines an object that holds information about a URL." class="local">\Drupal\Core\Url</a>, <a href="/api/drupal/core%21lib%21Drupal%21Component%21Utility%21UrlHelper.php/function/UrlHelper%3A%3AfilterQueryParameters/8.9.x" title="Filters a URL query parameter array to remove unwanted elements." class="local">\Drupal\Component\Utility\UrlHelper::filterQueryParameters</a>(), <a href="/api/drupal/core%21lib%21Drupal%21Component%21Utility%21UrlHelper.php/function/UrlHelper%3A%3AbuildQuery/8.9.x" title="Parses an array into a valid, rawurlencoded query string." class="local">\Drupal\Component\Utility\UrlHelper::buildQuery</a>(), and <a href="/api/drupal/core%21lib%21Drupal%21Core%21Utility%21LinkGeneratorInterface.php/function/LinkGeneratorInterface%3A%3Agenerate/8.9.x" title="Renders a link to a URL." class="local">\Drupal\Core\Utility\LinkGeneratorInterface::generate</a>() work correctly with various input.
Namespace
Drupal\Tests\system\Functional\CommonCode
public function testLinkXSS() {
// Test link generator.
$text = $this->randomMachineName();
$path = "<SCRIPT>alert('XSS')</SCRIPT>";
$encoded_path = "3CSCRIPT%3Ealert%28%27XSS%27%29%3C/SCRIPT%3E";
$link = Link::fromTextAndUrl($text, Url::fromUserInput('/' . $path))->toString();
$this->assertStringContainsString($encoded_path, $link, new FormattableMarkup('XSS attack @path was filtered by \\Drupal\\Core\\Utility\\LinkGeneratorInterface::generate().', [
'@path' => $path,
]));
$this->assertStringNotContainsString($path, $link, new FormattableMarkup('XSS attack @path was filtered by \\Drupal\\Core\\Utility\\LinkGeneratorInterface::generate().', [
'@path' => $path,
]));
// Test \Drupal\Core\Url.
$link = Url::fromUri('base:' . $path)->toString();
$this->assertStringContainsString($encoded_path, $link, new FormattableMarkup('XSS attack @path was filtered by #theme', [
'@path' => $path,
]));
$this->assertStringNotContainsString($path, $link, new FormattableMarkup('XSS attack @path was filtered by #theme', [
'@path' => $path,
]));
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.