Mercurial > hg > isophonics-drupal-site
comparison core/modules/system/src/Tests/Routing/DestinationTest.php @ 0:4c8ae668cc8c
Initial import (non-working)
| author | Chris Cannam |
|---|---|
| date | Wed, 29 Nov 2017 16:09:58 +0000 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| -1:000000000000 | 0:4c8ae668cc8c |
|---|---|
| 1 <?php | |
| 2 | |
| 3 namespace Drupal\system\Tests\Routing; | |
| 4 | |
| 5 use Drupal\Core\Url; | |
| 6 use Drupal\simpletest\WebTestBase; | |
| 7 | |
| 8 /** | |
| 9 * Tests for $_GET['destination'] and $_REQUEST['destination'] validation. | |
| 10 * | |
| 11 * Note: This tests basically the same as | |
| 12 * \Drupal\Tests\Core\EventSubscriber\RedirectResponseSubscriberTest::testSanitizeDestinationForGet | |
| 13 * \Drupal\Tests\Core\EventSubscriber\RedirectResponseSubscriberTest::testSanitizeDestinationForPost | |
| 14 * but we want to be absolutely sure it works. | |
| 15 * | |
| 16 * @group Routing | |
| 17 */ | |
| 18 class DestinationTest extends WebTestBase { | |
| 19 | |
| 20 /** | |
| 21 * {@inheritdoc} | |
| 22 */ | |
| 23 public static $modules = ['system_test']; | |
| 24 | |
| 25 /** | |
| 26 * Tests that $_GET/$_REQUEST['destination'] only contain internal URLs. | |
| 27 */ | |
| 28 public function testDestination() { | |
| 29 $test_cases = [ | |
| 30 [ | |
| 31 'input' => 'node', | |
| 32 'output' => 'node', | |
| 33 'message' => "Standard internal example node path is present in the 'destination' parameter.", | |
| 34 ], | |
| 35 [ | |
| 36 'input' => '/example.com', | |
| 37 'output' => '/example.com', | |
| 38 'message' => 'Internal path with one leading slash is allowed.', | |
| 39 ], | |
| 40 [ | |
| 41 'input' => '//example.com/test', | |
| 42 'output' => '', | |
| 43 'message' => 'External URL without scheme is not allowed.', | |
| 44 ], | |
| 45 [ | |
| 46 'input' => 'example:test', | |
| 47 'output' => 'example:test', | |
| 48 'message' => 'Internal URL using a colon is allowed.', | |
| 49 ], | |
| 50 [ | |
| 51 'input' => 'http://example.com', | |
| 52 'output' => '', | |
| 53 'message' => 'External URL is not allowed.', | |
| 54 ], | |
| 55 [ | |
| 56 'input' => 'javascript:alert(0)', | |
| 57 'output' => 'javascript:alert(0)', | |
| 58 'message' => 'Javascript URL is allowed because it is treated as an internal URL.', | |
| 59 ], | |
| 60 ]; | |
| 61 foreach ($test_cases as $test_case) { | |
| 62 // Test $_GET['destination']. | |
| 63 $this->drupalGet('system-test/get-destination', ['query' => ['destination' => $test_case['input']]]); | |
| 64 $this->assertIdentical($test_case['output'], $this->getRawContent(), $test_case['message']); | |
| 65 // Test $_REQUEST['destination']. | |
| 66 $post_output = $this->drupalPost('system-test/request-destination', '*', ['destination' => $test_case['input']]); | |
| 67 $this->assertIdentical($test_case['output'], $post_output, $test_case['message']); | |
| 68 } | |
| 69 | |
| 70 // Make sure that 404 pages do not populate $_GET['destination'] with | |
| 71 // external URLs. | |
| 72 \Drupal::configFactory()->getEditable('system.site')->set('page.404', '/system-test/get-destination')->save(); | |
| 73 $this->drupalGet('http://example.com', ['external' => FALSE]); | |
| 74 $this->assertResponse(404); | |
| 75 $this->assertIdentical(Url::fromRoute('<front>')->toString(), $this->getRawContent(), 'External URL is not allowed on 404 pages.'); | |
| 76 } | |
| 77 | |
| 78 } |