Documentation & API reference
function UrlTest::testLinkXSS
Confirms that invalid URLs are filtered in link generating functions.
File
- drupal/
core/ modules/ system/ lib/ Drupal/ system/ Tests/ Common/ UrlTest.php, line 34 - Definition of Drupal\system\Tests\Common\UrlTest.
Class
- UrlTest
- Tests for URL generation functions.
Namespace
Drupal\system\Tests\CommonCode
function testLinkXSS() {
// Test l().
$text = $this
->randomName();
$path = "<SCRIPT>alert('XSS')</SCRIPT>";
$link = l($text, $path);
$sanitized_path = check_url(url($path));
$this
->assertTrue(strpos($link, $sanitized_path) !== FALSE, format_string('XSS attack @path was filtered by l().', array(
'@path' => $path,
)));
// Test #theme.
$link_array = array(
'#theme' => 'link',
'#text' => $this
->randomName(),
'#path' => $path,
);
$theme_link = drupal_render($link_array);
$sanitized_path = check_url(url($path));
$this
->assertTrue(strpos($theme_link, $sanitized_path) !== FALSE, format_string('XSS attack @path was filtered by #theme', array(
'@path' => $path,
)));
}