function UrlTest::testLinkXSS
Same name in other branches
- 9 core/modules/system/tests/src/Kernel/Common/UrlTest.php \Drupal\Tests\system\Kernel\Common\UrlTest::testLinkXSS()
- 8.9.x core/modules/system/tests/src/Functional/Common/UrlTest.php \Drupal\Tests\system\Functional\Common\UrlTest::testLinkXSS()
- 11.x core/modules/system/tests/src/Kernel/Common/UrlTest.php \Drupal\Tests\system\Kernel\Common\UrlTest::testLinkXSS()
Confirms that invalid URLs are filtered in link generating functions.
File
-
core/
modules/ system/ tests/ src/ Kernel/ Common/ UrlTest.php, line 33
Class
- UrlTest
- Tests the Url object.
Namespace
Drupal\Tests\system\Kernel\CommonCode
public function testLinkXSS() : void {
// Test link generator.
$text = $this->randomMachineName();
$path = "<SCRIPT>alert('XSS')</SCRIPT>";
$encoded_path = "%3CSCRIPT%3Ealert%28%27XSS%27%29%3C/SCRIPT%3E";
$link = (string) Link::fromTextAndUrl($text, Url::fromUserInput('/' . $path))->toString();
$this->assertStringContainsString($encoded_path, $link, "XSS attack {$path} was filtered by \\Drupal\\Core\\Utility\\LinkGeneratorInterface::generate().");
$this->assertStringNotContainsString($path, $link, "XSS attack {$path} was filtered by \\Drupal\\Core\\Utility\\LinkGeneratorInterface::generate().");
// Test \Drupal\Core\Url.
$link = (string) Url::fromUri('base:' . $path)->toString();
$this->assertStringContainsString($encoded_path, $link, "XSS attack {$path} was filtered by #theme");
$this->assertStringNotContainsString($path, $link, "XSS attack {$path} was filtered by #theme");
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.