function XssUnitTest::testBadProtocolStripping

Same name in other branches
  1. 9 core/tests/Drupal/KernelTests/Core/Common/XssUnitTest.php \Drupal\KernelTests\Core\Common\XssUnitTest::testBadProtocolStripping()
  2. 8.9.x core/tests/Drupal/KernelTests/Core/Common/XssUnitTest.php \Drupal\KernelTests\Core\Common\XssUnitTest::testBadProtocolStripping()
  3. 11.x core/tests/Drupal/KernelTests/Core/Common/XssUnitTest.php \Drupal\KernelTests\Core\Common\XssUnitTest::testBadProtocolStripping()

Checks that harmful protocols are stripped.

File

core/tests/Drupal/KernelTests/Core/Common/XssUnitTest.php, line 49

Class

XssUnitTest
Tests XSS filtering.

Namespace

Drupal\KernelTests\Core\Common

Code

public function testBadProtocolStripping() : void {
    // Ensure that check_url() strips out harmful protocols, and encodes for
    // HTML.
    // Ensure \Drupal\Component\Utility\UrlHelper::stripDangerousProtocols() can
    // be used to return a plain-text string stripped of harmful protocols.
    $url = 'javascript:http://www.example.com/?x=1&y=2';
    $expected_plain = 'http://www.example.com/?x=1&y=2';
    $expected_html = 'http://www.example.com/?x=1&y=2';
    $this->assertSame($expected_html, UrlHelper::filterBadProtocol($url), '\\Drupal\\Component\\Utility\\UrlHelper::filterBadProtocol() filters a URL and encodes it for HTML.');
    $this->assertSame($expected_plain, UrlHelper::stripDangerousProtocols($url), '\\Drupal\\Component\\Utility\\UrlHelper::stripDangerousProtocols() filters a URL and returns plain text.');
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.