Add tests for SA-CORE-2025-004: Link field attribute XSS

xjm → credited benjifisher → .

xjm → credited bramdriesen → .

xjm → credited larowlan → .

xjm → credited longwave → .

xjm → credited mcdruid → .

Adding credits for folks who contributed to the development and review of the tests on the private issue.

Looks like the string typehinting worked. However, I found a newer version of the tests with additional test coverage in a private repo that was not posted to the private issue as directly. Will update the MR shortly.

xjm → credited alexpott → .

xjm → credited catch → .

Adding credits from additional reviewers on the private MR.

The things are green. I gave the tests a quick once-over and they look in order to me.

.

Forgot the tag.

Opened an MR with 2024-004 revert

Unit test fails with

  Line   core/modules/link/tests/src/Unit/AttributeXssTest.php                
 ------ --------------------------------------------------------------------- 
  16     @covers value \Drupal\link\AttributeXss references an invalid class  
         or function.                                                         
         🪪 phpunit.covers                                                    
  24     Call to static method sanitizeAttributes() on an unknown class       
         Drupal\link\AttributeXss.                                            
         🪪 class.notFound                                                    
         💡 Learn more at https://phpstan.org/user-guide/discovering-symbols  

kernel tests don't run is it needed to opened a 3rd MR without the unit test?

smustgrave → changed the visibility of the branch 3530149-revert-changes-2024-004 to hidden.

Deleted the Unit test from my MR since we saw it fail, lets see if the kernel does now.

kernel failed

    
    FF                                                                  2 / 2 (100%)
    
    Time: 00:04.448, Memory: 8.00 MB
    
    Link Formatter (Drupal\Tests\link\Kernel\LinkFormatter)
     ✘ Link formatter with default·formatter
       ┐
       ├ Failed asserting that 'Hello world' [ASCII](length: 101) contains "" [ASCII](length: 49).
       │
       │ /builds/issue/drupal-3530149/core/modules/link/tests/src/Kernel/LinkFormatterTest.php:118
       ┴
     ✘ Link formatter with separate·link·text·and·URL
       ┐
       ├ Failed asserting that 'Hello world\n                                     
       ├ https://www.drupal.org/\n
       ├ ' [ASCII](length: 126) contains "" [ASCII](length: 49).
       │
       │ /builds/issue/drupal-3530149/core/modules/link/tests/src/Kernel/LinkFormatterTest.php:118

MenuLinkTest failed with

      ┐
       ├ Failed asserting that 'Link test' [ASCII](length: 99) contains "" [ASCII](length: 49).
       │
       │ /builds/issue/drupal-3530149/core/modules/menu_link_content/tests/src/Kernel/MenuLinksTest.php:505

So believe this shows the test coverage is good