function CommonURLUnitTest::testLXSS

Confirm that invalid text given as $path is filtered.

File

modules/simpletest/tests/common.test, line 88

Tests for common.inc functionality.

Class

CommonURLUnitTest

Tests for URL generation functions.

Code

function testLXSS() {
  $text = $this
    ->randomName();
  $path = "<SCRIPT>alert('XSS')</SCRIPT>";
  $link = l($text, $path);
  $sanitized_path = check_url(url($path));
  $this
    ->assertTrue(strpos($link, $sanitized_path) !== FALSE, format_string('XSS attack @path was filtered', array(
    '@path' => $path,
  )));

  // Verify that a dangerous protocol is sanitized.
  $text = $this
    ->randomName();
  $path = "javascript:alert('XSS')";
  $link = l($text, $path, array(
    'external' => TRUE,
  ));
  $this
    ->assertTrue(strpos($link, 'javascript:') === FALSE, 'Dangerous protocol javascript: was sanitized.');

  // Verify that these harmless javascript paths are left intact for BC.
  $special_case_js_paths = array(
    'javascript:void()',
    'javascript:void();',
    'javascript:void(0)',
    'javascript:void(0);',
    'JavaScript:Void(0)',
  );
  foreach ($special_case_js_paths as $path) {
    $text = $this
      ->randomName();
    $link = l($text, $path, array(
      'external' => TRUE,
    ));
    $this
      ->assertTrue(strpos($link, $path) !== FALSE, format_string('Harmless @path was not sanitized.', array(
      '@path' => $path,
    )));
  }
}