Confirms that invalid URLs are filtered in link generating functions.
function testLinkXSS() {
// Test l().
$text = $this
->randomName();
$path = "<SCRIPT>alert('XSS')</SCRIPT>";
$link = l($text, $path);
$sanitized_path = check_url(url($path));
$this
->assertTrue(strpos($link, $sanitized_path) !== FALSE, format_string('XSS attack @path was filtered by l().', array(
'@path' => $path,
)));
// Test #theme.
$link_array = array(
'#theme' => 'link',
'#text' => $this
->randomName(),
'#path' => $path,
);
$theme_link = drupal_render($link_array);
$sanitized_path = check_url(url($path));
$this
->assertTrue(strpos($theme_link, $sanitized_path) !== FALSE, format_string('XSS attack @path was filtered by #theme', array(
'@path' => $path,
)));
}