|
Chris@0
|
1 <?php
|
|
Chris@0
|
2
|
|
Chris@0
|
3 namespace Drupal\system\Tests\Routing;
|
|
Chris@0
|
4
|
|
Chris@0
|
5 use Drupal\Core\Url;
|
|
Chris@0
|
6 use Drupal\simpletest\WebTestBase;
|
|
Chris@0
|
7
|
|
Chris@0
|
8 /**
|
|
Chris@0
|
9 * Tests for $_GET['destination'] and $_REQUEST['destination'] validation.
|
|
Chris@0
|
10 *
|
|
Chris@0
|
11 * Note: This tests basically the same as
|
|
Chris@0
|
12 * \Drupal\Tests\Core\EventSubscriber\RedirectResponseSubscriberTest::testSanitizeDestinationForGet
|
|
Chris@0
|
13 * \Drupal\Tests\Core\EventSubscriber\RedirectResponseSubscriberTest::testSanitizeDestinationForPost
|
|
Chris@0
|
14 * but we want to be absolutely sure it works.
|
|
Chris@0
|
15 *
|
|
Chris@0
|
16 * @group Routing
|
|
Chris@0
|
17 */
|
|
Chris@0
|
18 class DestinationTest extends WebTestBase {
|
|
Chris@0
|
19
|
|
Chris@0
|
20 /**
|
|
Chris@0
|
21 * {@inheritdoc}
|
|
Chris@0
|
22 */
|
|
Chris@0
|
23 public static $modules = ['system_test'];
|
|
Chris@0
|
24
|
|
Chris@0
|
25 /**
|
|
Chris@0
|
26 * Tests that $_GET/$_REQUEST['destination'] only contain internal URLs.
|
|
Chris@0
|
27 */
|
|
Chris@0
|
28 public function testDestination() {
|
|
Chris@0
|
29 $test_cases = [
|
|
Chris@0
|
30 [
|
|
Chris@0
|
31 'input' => 'node',
|
|
Chris@0
|
32 'output' => 'node',
|
|
Chris@0
|
33 'message' => "Standard internal example node path is present in the 'destination' parameter.",
|
|
Chris@0
|
34 ],
|
|
Chris@0
|
35 [
|
|
Chris@0
|
36 'input' => '/example.com',
|
|
Chris@0
|
37 'output' => '/example.com',
|
|
Chris@0
|
38 'message' => 'Internal path with one leading slash is allowed.',
|
|
Chris@0
|
39 ],
|
|
Chris@0
|
40 [
|
|
Chris@0
|
41 'input' => '//example.com/test',
|
|
Chris@0
|
42 'output' => '',
|
|
Chris@0
|
43 'message' => 'External URL without scheme is not allowed.',
|
|
Chris@0
|
44 ],
|
|
Chris@0
|
45 [
|
|
Chris@0
|
46 'input' => 'example:test',
|
|
Chris@0
|
47 'output' => 'example:test',
|
|
Chris@0
|
48 'message' => 'Internal URL using a colon is allowed.',
|
|
Chris@0
|
49 ],
|
|
Chris@0
|
50 [
|
|
Chris@0
|
51 'input' => 'http://example.com',
|
|
Chris@0
|
52 'output' => '',
|
|
Chris@0
|
53 'message' => 'External URL is not allowed.',
|
|
Chris@0
|
54 ],
|
|
Chris@0
|
55 [
|
|
Chris@0
|
56 'input' => 'javascript:alert(0)',
|
|
Chris@0
|
57 'output' => 'javascript:alert(0)',
|
|
Chris@0
|
58 'message' => 'Javascript URL is allowed because it is treated as an internal URL.',
|
|
Chris@0
|
59 ],
|
|
Chris@0
|
60 ];
|
|
Chris@0
|
61 foreach ($test_cases as $test_case) {
|
|
Chris@0
|
62 // Test $_GET['destination'].
|
|
Chris@0
|
63 $this->drupalGet('system-test/get-destination', ['query' => ['destination' => $test_case['input']]]);
|
|
Chris@0
|
64 $this->assertIdentical($test_case['output'], $this->getRawContent(), $test_case['message']);
|
|
Chris@0
|
65 // Test $_REQUEST['destination'].
|
|
Chris@0
|
66 $post_output = $this->drupalPost('system-test/request-destination', '*', ['destination' => $test_case['input']]);
|
|
Chris@0
|
67 $this->assertIdentical($test_case['output'], $post_output, $test_case['message']);
|
|
Chris@0
|
68 }
|
|
Chris@0
|
69
|
|
Chris@0
|
70 // Make sure that 404 pages do not populate $_GET['destination'] with
|
|
Chris@0
|
71 // external URLs.
|
|
Chris@0
|
72 \Drupal::configFactory()->getEditable('system.site')->set('page.404', '/system-test/get-destination')->save();
|
|
Chris@0
|
73 $this->drupalGet('http://example.com', ['external' => FALSE]);
|
|
Chris@0
|
74 $this->assertResponse(404);
|
|
Chris@0
|
75 $this->assertIdentical(Url::fromRoute('<front>')->toString(), $this->getRawContent(), 'External URL is not allowed on 404 pages.');
|
|
Chris@0
|
76 }
|
|
Chris@0
|
77
|
|
Chris@0
|
78 }
|
