From f12b1b637f748051c1fd9e260881208092bf913b Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Sat, 31 Jan 2009 19:07:45 +0000
Subject: - Patch #354812 by catch, mfer: filter_xss_bad_protocol is called
 hundreds of times on some pages.

---
 modules/simpletest/tests/common.test | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

(limited to 'modules/simpletest')

diff --git a/modules/simpletest/tests/common.test b/modules/simpletest/tests/common.test
index 5f039660f..a6f1053e6 100644
--- a/modules/simpletest/tests/common.test
+++ b/modules/simpletest/tests/common.test
@@ -1,6 +1,31 @@
 <?php
 // $Id$
 
+/**
+ * Tests for the l() function.
+ */
+class CommonLUnitTest extends DrupalWebTestCase {
+
+  function getInfo() {
+    return array(
+      'name' => t('Tests for the l() function'),
+      'description' => t('Confirm that url() works correctly with various input.'),
+      'group' => t('System'),
+    );
+  }
+
+  /**
+   * Confirm that invalid text given as $path is filtered.
+   */
+  function testLXSS() {
+    $text = $this->randomName();
+    $path = "<SCRIPT>alert('XSS')</SCRIPT>";
+    $link = l($text, $path);
+    $sanitized_path = check_url(url($path));
+    $this->assertTrue(strpos($link, $sanitized_path) != FALSE, t('XSS attack @path was filtered', array('@path' => $path)));
+  }
+}
+
 class CommonSizeTestCase extends DrupalWebTestCase {
   protected $exact_test_cases;
   protected $rounded_test_cases;
-- 
cgit v1.2.3