function UrlTest::testLinkXSS

Confirms that invalid URLs are filtered in link generating functions.

File

core/modules/system/tests/src/Kernel/Common/UrlTest.php, line 29

Class

UrlTest
Tests the Url object.

Namespace

Drupal\Tests\system\Kernel\Common

Code

public function testLinkXSS() {
  // Test link generator.
  $text = $this->randomMachineName();
  $path = "<SCRIPT>alert('XSS')</SCRIPT>";
  $encoded_path = "3CSCRIPT%3Ealert%28%27XSS%27%29%3C/SCRIPT%3E";
  $link = Link::fromTextAndUrl($text, Url::fromUserInput('/' . $path))->toString();
  $this->assertStringContainsString($encoded_path, $link, new FormattableMarkup('XSS attack @path was filtered by \\Drupal\\Core\\Utility\\LinkGeneratorInterface::generate().', [
    '@path' => $path,
  ]));
  $this->assertStringNotContainsString($path, $link, new FormattableMarkup('XSS attack @path was filtered by \\Drupal\\Core\\Utility\\LinkGeneratorInterface::generate().', [
    '@path' => $path,
  ]));
  // Test \Drupal\Core\Url.
  $link = Url::fromUri('base:' . $path)->toString();
  $this->assertStringContainsString($encoded_path, $link, new FormattableMarkup('XSS attack @path was filtered by #theme', [
    '@path' => $path,
  ]));
  $this->assertStringNotContainsString($path, $link, new FormattableMarkup('XSS attack @path was filtered by #theme', [
    '@path' => $path,
  ]));
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.