Chris@0: 'node', Chris@0: 'output' => 'node', Chris@0: 'message' => "Standard internal example node path is present in the 'destination' parameter.", Chris@0: ], Chris@0: [ Chris@0: 'input' => '/example.com', Chris@0: 'output' => '/example.com', Chris@0: 'message' => 'Internal path with one leading slash is allowed.', Chris@0: ], Chris@0: [ Chris@0: 'input' => '//example.com/test', Chris@0: 'output' => '', Chris@0: 'message' => 'External URL without scheme is not allowed.', Chris@0: ], Chris@0: [ Chris@0: 'input' => 'example:test', Chris@0: 'output' => 'example:test', Chris@0: 'message' => 'Internal URL using a colon is allowed.', Chris@0: ], Chris@0: [ Chris@0: 'input' => 'http://example.com', Chris@0: 'output' => '', Chris@0: 'message' => 'External URL is not allowed.', Chris@0: ], Chris@0: [ Chris@0: 'input' => 'javascript:alert(0)', Chris@0: 'output' => 'javascript:alert(0)', Chris@0: 'message' => 'Javascript URL is allowed because it is treated as an internal URL.', Chris@0: ], Chris@0: ]; Chris@0: foreach ($test_cases as $test_case) { Chris@0: // Test $_GET['destination']. Chris@0: $this->drupalGet('system-test/get-destination', ['query' => ['destination' => $test_case['input']]]); Chris@0: $this->assertIdentical($test_case['output'], $this->getRawContent(), $test_case['message']); Chris@0: // Test $_REQUEST['destination']. Chris@0: $post_output = $this->drupalPost('system-test/request-destination', '*', ['destination' => $test_case['input']]); Chris@0: $this->assertIdentical($test_case['output'], $post_output, $test_case['message']); Chris@0: } Chris@0: Chris@0: // Make sure that 404 pages do not populate $_GET['destination'] with Chris@0: // external URLs. Chris@0: \Drupal::configFactory()->getEditable('system.site')->set('page.404', '/system-test/get-destination')->save(); Chris@0: $this->drupalGet('http://example.com', ['external' => FALSE]); Chris@0: $this->assertResponse(404); Chris@0: $this->assertIdentical(Url::fromRoute('')->toString(), $this->getRawContent(), 'External URL is not allowed on 404 pages.'); Chris@0: } Chris@0: Chris@0: }