diff options
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/comment/comment.test | 2 | ||||
| -rw-r--r-- | modules/comment/comment.tokens.inc | 2 | ||||
| -rw-r--r-- | modules/simpletest/tests/common.test | 16 |
3 files changed, 17 insertions, 3 deletions
diff --git a/modules/comment/comment.test b/modules/comment/comment.test index ae680cecd..cf5376fec 100644 --- a/modules/comment/comment.test +++ b/modules/comment/comment.test @@ -1190,7 +1190,7 @@ class CommentTokenReplaceTestCase extends CommentHelperCase { $tests['[comment:hostname]'] = check_plain($comment->hostname); $tests['[comment:name]'] = filter_xss($comment->name); $tests['[comment:mail]'] = check_plain($this->admin_user->mail); - $tests['[comment:homepage]'] = filter_xss_bad_protocol($comment->homepage); + $tests['[comment:homepage]'] = check_url($comment->homepage); $tests['[comment:title]'] = filter_xss($comment->subject); $tests['[comment:body]'] = _text_sanitize($instance, LANGUAGE_NONE, $comment->comment_body[LANGUAGE_NONE][0], 'value'); $tests['[comment:url]'] = url('comment/' . $comment->cid, $url_options + array('fragment' => 'comment-' . $comment->cid)); diff --git a/modules/comment/comment.tokens.inc b/modules/comment/comment.tokens.inc index 3f233733d..2375cfb6f 100644 --- a/modules/comment/comment.tokens.inc +++ b/modules/comment/comment.tokens.inc @@ -148,7 +148,7 @@ function comment_tokens($type, $tokens, array $data = array(), array $options = break; case 'homepage': - $replacements[$original] = $sanitize ? filter_xss_bad_protocol($comment->homepage) : $comment->homepage; + $replacements[$original] = $sanitize ? check_url($comment->homepage) : $comment->homepage; break; case 'title': diff --git a/modules/simpletest/tests/common.test b/modules/simpletest/tests/common.test index f374cf04b..01635a5ea 100644 --- a/modules/simpletest/tests/common.test +++ b/modules/simpletest/tests/common.test @@ -345,7 +345,7 @@ class CommonXssUnitTest extends DrupalUnitTestCase { public static function getInfo() { return array( 'name' => 'String filtering tests', - 'description' => 'Confirm that check_plain() and filter_xss() work correctly, including invalid multi-byte sequences.', + 'description' => 'Confirm that check_plain(), filter_xss(), and check_url() work correctly, including invalid multi-byte sequences.', 'group' => 'System', ); } @@ -372,6 +372,20 @@ class CommonXssUnitTest extends DrupalUnitTestCase { $text = check_plain("<script>"); $this->assertEqual($text, '<script>', 'check_plain() escapes <script>'); } + + /** + * Check that harmful protocols are stripped. + */ + function testBadProtocolStripping() { + // Ensure that check_url() strips out harmful protocols, and encodes for + // HTML. Ensure drupal_strip_dangerous_protocols() can be used to return a + // plain-text string stripped of harmful protocols. + $url = 'javascript:http://www.example.com/?x=1&y=2'; + $expected_plain = 'http://www.example.com/?x=1&y=2'; + $expected_html = 'http://www.example.com/?x=1&y=2'; + $this->assertIdentical(check_url($url), $expected_html, t('check_url() filters a URL and encodes it for HTML.')); + $this->assertIdentical(drupal_strip_dangerous_protocols($url), $expected_plain, t('drupal_strip_dangerous_protocols() filters a URL and returns plain text.')); + } } class CommonSizeTestCase extends DrupalUnitTestCase { |