diff options
| -rw-r--r-- | includes/common.inc | 2 | ||||
| -rw-r--r-- | modules/simpletest/tests/common.test | 25 |
2 files changed, 26 insertions, 1 deletions
diff --git a/includes/common.inc b/includes/common.inc index 95bc9fc33..09bd204e4 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -1836,7 +1836,7 @@ function l($text, $path, array $options = array()) { $options['attributes']['title'] = strip_tags($options['attributes']['title']); } - return '<a href="' . check_url(url($path, $options)) . '"' . drupal_attributes($options['attributes']) . '>' . ($options['html'] ? $text : check_plain($text)) . '</a>'; + return '<a href="' . url($path, $options) . '"' . drupal_attributes($options['attributes']) . '>' . ($options['html'] ? $text : check_plain($text)) . '</a>'; } /** diff --git a/modules/simpletest/tests/common.test b/modules/simpletest/tests/common.test index 5f039660f..a6f1053e6 100644 --- a/modules/simpletest/tests/common.test +++ b/modules/simpletest/tests/common.test @@ -1,6 +1,31 @@ <?php // $Id$ +/** + * Tests for the l() function. + */ +class CommonLUnitTest extends DrupalWebTestCase { + + function getInfo() { + return array( + 'name' => t('Tests for the l() function'), + 'description' => t('Confirm that url() works correctly with various input.'), + 'group' => t('System'), + ); + } + + /** + * Confirm that invalid text given as $path is filtered. + */ + function testLXSS() { + $text = $this->randomName(); + $path = "<SCRIPT>alert('XSS')</SCRIPT>"; + $link = l($text, $path); + $sanitized_path = check_url(url($path)); + $this->assertTrue(strpos($link, $sanitized_path) != FALSE, t('XSS attack @path was filtered', array('@path' => $path))); + } +} + class CommonSizeTestCase extends DrupalWebTestCase { protected $exact_test_cases; protected $rounded_test_cases; |