Drupal 7.38

author: David Rothstein <drothstein@gmail.com> 2015-06-17 14:38:44 -0400
committer: David Rothstein <drothstein@gmail.com> 2015-06-17 14:38:44 -0400
commit: 5cb79b4b217e9aa315d61284398cce132c28bea4 (patch)
tree: ff85c0695ee9db1178447fa29d7f76a3ff8e67f6 /modules/field_ui/field_ui.test
parent: 18c5da5028b7c3ba985e598bb8df45613285d437 (diff)
download: brdo-5cb79b4b217e9aa315d61284398cce132c28bea4.tar.gz
brdo-5cb79b4b217e9aa315d61284398cce132c28bea4.tar.bz2
1 files changed, 13 insertions, 0 deletions
diff --git a/modules/field_ui/field_ui.test b/modules/field_ui/field_ui.test
index 21767d649..8c42aa6f5 100644
--- a/modules/field_ui/field_ui.test
+++ b/modules/field_ui/field_ui.test
@@ -445,6 +445,19 @@ class FieldUIManageFieldsTestCase extends FieldUITestCase {
     $this->assertText(t('The machine-readable name is already in use. It must be unique.'));
     $this->assertUrl($url, array(), 'Stayed on the same page.');
   }
+
+  /**
+   * Tests that external URLs in the 'destinations' query parameter are blocked.
+   */
+  function testExternalDestinations() {
+    $path = 'admin/structure/types/manage/article/fields/field_tags/field-settings';
+    $options = array(
+      'query' => array('destinations' => array('http://example.com')),
+    );
+    $this->drupalPost($path, NULL, t('Save field settings'), $options);
+
+    $this->assertUrl('admin/structure/types/manage/article/fields', array(), 'Stayed on the same site.');
+  }
 }
 
 /**
author	David Rothstein <drothstein@gmail.com>	2015-06-17 14:38:44 -0400
committer	David Rothstein <drothstein@gmail.com>	2015-06-17 14:38:44 -0400
commit	5cb79b4b217e9aa315d61284398cce132c28bea4 (patch)
tree	ff85c0695ee9db1178447fa29d7f76a3ff8e67f6 /modules/field_ui/field_ui.test
parent	18c5da5028b7c3ba985e598bb8df45613285d437 (diff)
download	brdo-5cb79b4b217e9aa315d61284398cce132c28bea4.tar.gz brdo-5cb79b4b217e9aa315d61284398cce132c28bea4.tar.bz2