- Patch #354812 by catch, mfer: filter_xss_bad_protocol is called hundreds of times on some pages.

2009-01-31 19:07:45 +00:00 · 2009-01-31 19:07:45 +00:00 · f12b1b637f
parent 610bc6f7ed
commit f12b1b637f
2 changed files with 26 additions and 1 deletions
--- a/includes/common.inc
+++ b/includes/common.inc
@ -1836,7 +1836,7 @@ function l($text, $path, array $options = array()) {
    $options['attributes']['title'] = strip_tags($options['attributes']['title']);
  }

-  return '<a href="' . check_url(url($path, $options)) . '"' . drupal_attributes($options['attributes']) . '>' . ($options['html'] ? $text : check_plain($text)) . '</a>';
+  return '<a href="' . url($path, $options) . '"' . drupal_attributes($options['attributes']) . '>' . ($options['html'] ? $text : check_plain($text)) . '</a>';
 }

 /**
--- a/modules/simpletest/tests/common.test
+++ b/modules/simpletest/tests/common.test
@ -1,6 +1,31 @@
 <?php
 // $Id$

+/**
+ * Tests for the l() function.
+ */
+class CommonLUnitTest extends DrupalWebTestCase {
+
+  function getInfo() {
+    return array(
+      'name' => t('Tests for the l() function'),
+      'description' => t('Confirm that url() works correctly with various input.'),
+      'group' => t('System'),
+    );
+  }
+
+  /**
+   * Confirm that invalid text given as $path is filtered.
+   */
+  function testLXSS() {
+    $text = $this->randomName();
+    $path = "<SCRIPT>alert('XSS')</SCRIPT>";
+    $link = l($text, $path);
+    $sanitized_path = check_url(url($path));
+    $this->assertTrue(strpos($link, $sanitized_path) != FALSE, t('XSS attack @path was filtered', array('@path' => $path)));
+  }
+}
+
 class CommonSizeTestCase extends DrupalWebTestCase {
  protected $exact_test_cases;
  protected $rounded_test_cases;