diff options
| author | David Rothstein <drothstein@gmail.com> | 2015-06-17 14:38:44 -0400 |
|---|---|---|
| committer | David Rothstein <drothstein@gmail.com> | 2015-06-17 14:38:44 -0400 |
| commit | 5cb79b4b217e9aa315d61284398cce132c28bea4 (patch) | |
| tree | ff85c0695ee9db1178447fa29d7f76a3ff8e67f6 /modules/field_ui | |
| parent | 18c5da5028b7c3ba985e598bb8df45613285d437 (diff) | |
| download | brdo-5cb79b4b217e9aa315d61284398cce132c28bea4.tar.gz brdo-5cb79b4b217e9aa315d61284398cce132c28bea4.tar.bz2 | |
Drupal 7.38
Diffstat (limited to 'modules/field_ui')
| -rw-r--r-- | modules/field_ui/field_ui.admin.inc | 4 | ||||
| -rw-r--r-- | modules/field_ui/field_ui.test | 13 |
2 files changed, 17 insertions, 0 deletions
diff --git a/modules/field_ui/field_ui.admin.inc b/modules/field_ui/field_ui.admin.inc index 5d74a5ca4..7d09d6f8e 100644 --- a/modules/field_ui/field_ui.admin.inc +++ b/modules/field_ui/field_ui.admin.inc @@ -2105,6 +2105,10 @@ function field_ui_next_destination($entity_type, $bundle) { $destinations = !empty($_REQUEST['destinations']) ? $_REQUEST['destinations'] : array(); if (!empty($destinations)) { unset($_REQUEST['destinations']); + } + // Remove any external URLs. + $destinations = array_diff($destinations, array_filter($destinations, 'url_is_external')); + if ($destinations) { return field_ui_get_destinations($destinations); } $admin_path = _field_ui_bundle_admin_path($entity_type, $bundle); diff --git a/modules/field_ui/field_ui.test b/modules/field_ui/field_ui.test index 21767d649..8c42aa6f5 100644 --- a/modules/field_ui/field_ui.test +++ b/modules/field_ui/field_ui.test @@ -445,6 +445,19 @@ class FieldUIManageFieldsTestCase extends FieldUITestCase { $this->assertText(t('The machine-readable name is already in use. It must be unique.')); $this->assertUrl($url, array(), 'Stayed on the same page.'); } + + /** + * Tests that external URLs in the 'destinations' query parameter are blocked. + */ + function testExternalDestinations() { + $path = 'admin/structure/types/manage/article/fields/field_tags/field-settings'; + $options = array( + 'query' => array('destinations' => array('http://example.com')), + ); + $this->drupalPost($path, NULL, t('Save field settings'), $options); + + $this->assertUrl('admin/structure/types/manage/article/fields', array(), 'Stayed on the same site.'); + } } /** |