This is a follow-up to: #2990723-14: Security improvement for l() function → .
Current implementation of the CommonXssUnitTest::testBadProtocolStripping() does only check if javascript: protocol is stripped. It doesn't check all allowed protocols whether they are kept or stripped (for example telnet). We have a variable filter_allowed_protocols which whitelists more protocols to be allowed.
FilterUnitTestCase::testUrlFilter() is already doing such extended check. It would be great to introduce this extended protocol testing also to the CommonXssUnitTest::testBadProtocolStripping() test.
Add an array of strings with various protocols (similar to what is used in the FilterUnitTestCase::testUrlFilter()) to test the stripping by the drupal_strip_dangerous_protocols() completely. Include at least all allowed protocols.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Similar test in D10:
https://git.drupalcode.org/project/drupal/-/blob/10.0.9/core/modules/fil...
This LGTM, thanks!
Automatically closed - issue fixed for 2 weeks with no activity.