function CommonURLUnitTest::testLXSS

Confirm that invalid text given as $path is filtered.

File

modules/simpletest/tests/common.test, line 88

Class

CommonURLUnitTest: Tests for URL generation functions.

Code

function testLXSS() {
    $text = $this->randomName();
    $path = "<SCRIPT>alert('XSS')</SCRIPT>";
    $link = l($text, $path);
    $sanitized_path = check_url(url($path));
    $this->assertTrue(strpos($link, $sanitized_path) !== FALSE, format_string('XSS attack @path was filtered', array(
        '@path' => $path,
    )));
    // Verify that a dangerous protocol is sanitized.
    $text = $this->randomName();
    $path = "javascript:alert('XSS')";
    $link = l($text, $path, array(
        'external' => TRUE,
    ));
    $this->assertTrue(strpos($link, 'javascript:') === FALSE, 'Dangerous protocol javascript: was sanitized.');
    // Verify that these harmless javascript paths are left intact for BC.
    $special_case_js_paths = array(
        'javascript:void()',
        'javascript:void();',
        'javascript:void(0)',
        'javascript:void(0);',
        'JavaScript:Void(0)',
    );
    foreach ($special_case_js_paths as $path) {
        $text = $this->randomName();
        $link = l($text, $path, array(
            'external' => TRUE,
        ));
        $this->assertTrue(strpos($link, $path) !== FALSE, format_string('Harmless @path was not sanitized.', array(
            '@path' => $path,
        )));
    }
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.

function CommonURLUnitTest::testLXSS

File

Class

Code

Search drupal 7.x

API Navigation

Breadcrumb

function CommonURLUnitTest::testLXSS

File

Class

Code

Search drupal 7.x

API Navigation