From 9b89fa9c190e69f7d15d974f8707e4bda8b28499 Mon Sep 17 00:00:00 2001
From: mcdruid <drew@mcdruid.co.uk>
Date: Tue, 6 Sep 2022 22:23:15 +0100
Subject: [PATCH] Issue #2990723 by poker10, tatarbj, DamienMcKenna: Security
 improvement for l() function

---
 includes/common.inc                  | 1 +
 modules/simpletest/tests/common.test | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/includes/common.inc b/includes/common.inc
index c3f1974ca48..2f417be22c4 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -2570,6 +2570,7 @@ function l($text, $path, array $options = array()) {
       $use_theme = FALSE;
     }
   }
+  $path = drupal_strip_dangerous_protocols((string) $path);
   if ($use_theme) {
     return theme('link', array('text' => $text, 'path' => $path, 'options' => $options));
   }
diff --git a/modules/simpletest/tests/common.test b/modules/simpletest/tests/common.test
index 0de86a07ef6..c2e22366cc9 100644
--- a/modules/simpletest/tests/common.test
+++ b/modules/simpletest/tests/common.test
@@ -91,6 +91,12 @@ class CommonURLUnitTest extends DrupalWebTestCase {
     $link = l($text, $path);
     $sanitized_path = check_url(url($path));
     $this->assertTrue(strpos($link, $sanitized_path) !== FALSE, format_string('XSS attack @path was filtered', array('@path' => $path)));
+
+    // Verify that a dangerous protocol is sanitized.
+    $text = $this->randomName();
+    $path = "javascript:alert('XSS')";
+    $link = l($text, $path, array('external' => TRUE));
+    $this->assertTrue(strpos($link, 'javascript:') === FALSE, 'Dangerous protocol javascript: was sanitized.');
   }
 
   /*