From 5cb79b4b217e9aa315d61284398cce132c28bea4 Mon Sep 17 00:00:00 2001 From: David Rothstein Date: Wed, 17 Jun 2015 14:38:44 -0400 Subject: Drupal 7.38 --- modules/field_ui/field_ui.admin.inc | 4 ++++ modules/field_ui/field_ui.test | 13 +++++++++++++ 2 files changed, 17 insertions(+) (limited to 'modules/field_ui') diff --git a/modules/field_ui/field_ui.admin.inc b/modules/field_ui/field_ui.admin.inc index 5d74a5ca4..7d09d6f8e 100644 --- a/modules/field_ui/field_ui.admin.inc +++ b/modules/field_ui/field_ui.admin.inc @@ -2105,6 +2105,10 @@ function field_ui_next_destination($entity_type, $bundle) { $destinations = !empty($_REQUEST['destinations']) ? $_REQUEST['destinations'] : array(); if (!empty($destinations)) { unset($_REQUEST['destinations']); + } + // Remove any external URLs. + $destinations = array_diff($destinations, array_filter($destinations, 'url_is_external')); + if ($destinations) { return field_ui_get_destinations($destinations); } $admin_path = _field_ui_bundle_admin_path($entity_type, $bundle); diff --git a/modules/field_ui/field_ui.test b/modules/field_ui/field_ui.test index 21767d649..8c42aa6f5 100644 --- a/modules/field_ui/field_ui.test +++ b/modules/field_ui/field_ui.test @@ -445,6 +445,19 @@ class FieldUIManageFieldsTestCase extends FieldUITestCase { $this->assertText(t('The machine-readable name is already in use. It must be unique.')); $this->assertUrl($url, array(), 'Stayed on the same page.'); } + + /** + * Tests that external URLs in the 'destinations' query parameter are blocked. + */ + function testExternalDestinations() { + $path = 'admin/structure/types/manage/article/fields/field_tags/field-settings'; + $options = array( + 'query' => array('destinations' => array('http://example.com')), + ); + $this->drupalPost($path, NULL, t('Save field settings'), $options); + + $this->assertUrl('admin/structure/types/manage/article/fields', array(), 'Stayed on the same site.'); + } } /** -- cgit v1.2.3