From 9e6313e84f7397889950bef0b870bf91749acca4 Mon Sep 17 00:00:00 2001
From: Angie Byron <webchick@24967.no-reply.drupal.org>
Date: Wed, 7 Jul 2010 17:00:43 +0000
Subject: #715142 by effulgentsia, msmithgu, mr.baileys, Damien Tournoud, sun:
 Fixed Various URLs escaped twice, since check_url() resp.
 filter_xss_bad_protocol() calls check_plain().

---
 modules/comment/comment.test         |  2 +-
 modules/comment/comment.tokens.inc   |  2 +-
 modules/simpletest/tests/common.test | 16 +++++++++++++++-
 3 files changed, 17 insertions(+), 3 deletions(-)

(limited to 'modules')

diff --git a/modules/comment/comment.test b/modules/comment/comment.test
index ae680cecd..cf5376fec 100644
--- a/modules/comment/comment.test
+++ b/modules/comment/comment.test
@@ -1190,7 +1190,7 @@ class CommentTokenReplaceTestCase extends CommentHelperCase {
     $tests['[comment:hostname]'] = check_plain($comment->hostname);
     $tests['[comment:name]'] = filter_xss($comment->name);
     $tests['[comment:mail]'] = check_plain($this->admin_user->mail);
-    $tests['[comment:homepage]'] = filter_xss_bad_protocol($comment->homepage);
+    $tests['[comment:homepage]'] = check_url($comment->homepage);
     $tests['[comment:title]'] = filter_xss($comment->subject);
     $tests['[comment:body]'] = _text_sanitize($instance, LANGUAGE_NONE, $comment->comment_body[LANGUAGE_NONE][0], 'value');
     $tests['[comment:url]'] = url('comment/' . $comment->cid, $url_options + array('fragment' => 'comment-' . $comment->cid));
diff --git a/modules/comment/comment.tokens.inc b/modules/comment/comment.tokens.inc
index 3f233733d..2375cfb6f 100644
--- a/modules/comment/comment.tokens.inc
+++ b/modules/comment/comment.tokens.inc
@@ -148,7 +148,7 @@ function comment_tokens($type, $tokens, array $data = array(), array $options =
           break;
 
         case 'homepage':
-          $replacements[$original] = $sanitize ? filter_xss_bad_protocol($comment->homepage) : $comment->homepage;
+          $replacements[$original] = $sanitize ? check_url($comment->homepage) : $comment->homepage;
           break;
 
         case 'title':
diff --git a/modules/simpletest/tests/common.test b/modules/simpletest/tests/common.test
index f374cf04b..01635a5ea 100644
--- a/modules/simpletest/tests/common.test
+++ b/modules/simpletest/tests/common.test
@@ -345,7 +345,7 @@ class CommonXssUnitTest extends DrupalUnitTestCase {
   public static function getInfo() {
     return array(
       'name' => 'String filtering tests',
-      'description' => 'Confirm that check_plain() and filter_xss() work correctly, including invalid multi-byte sequences.',
+      'description' => 'Confirm that check_plain(), filter_xss(), and check_url() work correctly, including invalid multi-byte sequences.',
       'group' => 'System',
     );
   }
@@ -372,6 +372,20 @@ class CommonXssUnitTest extends DrupalUnitTestCase {
      $text = check_plain("<script>");
      $this->assertEqual($text, '&lt;script&gt;', 'check_plain() escapes &lt;script&gt;');
   }
+
+  /**
+   * Check that harmful protocols are stripped.
+   */
+  function testBadProtocolStripping() {
+    // Ensure that check_url() strips out harmful protocols, and encodes for
+    // HTML. Ensure drupal_strip_dangerous_protocols() can be used to return a
+    // plain-text string stripped of harmful protocols.
+    $url = 'javascript:http://www.example.com/?x=1&y=2';
+    $expected_plain = 'http://www.example.com/?x=1&y=2';
+    $expected_html = 'http://www.example.com/?x=1&amp;y=2';
+    $this->assertIdentical(check_url($url), $expected_html, t('check_url() filters a URL and encodes it for HTML.'));
+    $this->assertIdentical(drupal_strip_dangerous_protocols($url), $expected_plain, t('drupal_strip_dangerous_protocols() filters a URL and returns plain text.'));
+  }
 }
 
 class CommonSizeTestCase extends DrupalUnitTestCase {
-- 
cgit v1.2.3