[D7] Update CommonXssUnitTest::testBadProtocolStripping() to check other allowed / dangerous protocols

Created on 7 September 2022, almost 2 years ago
Updated 26 May 2023, about 1 year ago

Problem/Motivation

This is a follow-up to: #2990723-14: Security improvement for l() function .

Current implementation of the CommonXssUnitTest::testBadProtocolStripping() does only check if javascript: protocol is stripped. It doesn't check all allowed protocols whether they are kept or stripped (for example telnet). We have a variable filter_allowed_protocols which whitelists more protocols to be allowed.

FilterUnitTestCase::testUrlFilter() is already doing such extended check. It would be great to introduce this extended protocol testing also to the CommonXssUnitTest::testBadProtocolStripping() test.

Steps to reproduce

Proposed resolution

Add an array of strings with various protocols (similar to what is used in the FilterUnitTestCase::testUrlFilter()) to test the stripping by the drupal_strip_dangerous_protocols() completely. Include at least all allowed protocols.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

📌 Task
Status

Fixed

Version

7.0 ⚰️

Component
Simpletest 

Last updated 1 day ago

Created by

🇸🇰Slovakia poker10

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.69.0 2024