randomMachineName(); $path = ""; $link = \Drupal::l($text, Url::fromUserInput('/' . $path)); $sanitized_path = check_url(Url::fromUri('base:' . $path)->toString()); $this->assertTrue(strpos($link, $sanitized_path) !== FALSE, format_string('XSS attack @path was filtered by _l().', array('@path' => $path))); // Test \Drupal\Core\Url. $link = Url::fromUri('base:' . $path)->toString(); $sanitized_path = check_url(Url::fromUri('base:' . $path)->toString()); $this->assertTrue(strpos($link, $sanitized_path) !== FALSE, format_string('XSS attack @path was filtered by #theme', ['@path' => $path])); } /** * Tests that default and custom attributes are handled correctly on links. */ function testLinkAttributes() { // Test that hreflang is added when a link has a known language. $language = new Language(array('id' => 'fr', 'name' => 'French')); $hreflang_link = array( '#type' => 'link', '#options' => array( 'language' => $language, ), '#url' => Url::fromUri('http://drupal.org'), '#title' => 'bar', ); $langcode = $language->getId(); // Test that the default hreflang handling for links does not override a // hreflang attribute explicitly set in the render array. $hreflang_override_link = $hreflang_link; $hreflang_override_link['#options']['attributes']['hreflang'] = 'foo'; $rendered = drupal_render($hreflang_link); $this->assertTrue($this->hasAttribute('hreflang', $rendered, $langcode), format_string('hreflang attribute with value @langcode is present on a rendered link when langcode is provided in the render array.', array('@langcode' => $langcode))); $rendered = drupal_render($hreflang_override_link); $this->assertTrue($this->hasAttribute('hreflang', $rendered, 'foo'), format_string('hreflang attribute with value @hreflang is present on a rendered link when @hreflang is provided in the render array.', array('@hreflang' => 'foo'))); // Test the active class in links produced by _l() and #type 'link'. $options_no_query = array(); $options_query = array( 'query' => array( 'foo' => 'bar', 'one' => 'two', ), ); $options_query_reverse = array( 'query' => array( 'one' => 'two', 'foo' => 'bar', ), ); // Test #type link. $path = 'common-test/type-link-active-class'; $this->drupalGet($path, $options_no_query); $links = $this->xpath('//a[@href = :href and contains(@class, :class)]', array(':href' => Url::fromRoute('common_test.l_active_class', [], $options_no_query)->toString(), ':class' => 'is-active')); $this->assertTrue(isset($links[0]), 'A link generated by _l() to the current page is marked active.'); $links = $this->xpath('//a[@href = :href and not(contains(@class, :class))]', array(':href' => Url::fromRoute('common_test.l_active_class', [], $options_query)->toString(), ':class' => 'is-active')); $this->assertTrue(isset($links[0]), 'A link generated by _l() to the current page with a query string when the current page has no query string is not marked active.'); $this->drupalGet($path, $options_query); $links = $this->xpath('//a[@href = :href and contains(@class, :class)]', array(':href' => Url::fromRoute('common_test.l_active_class', [], $options_query)->toString(), ':class' => 'is-active')); $this->assertTrue(isset($links[0]), 'A link generated by _l() to the current page with a query string that matches the current query string is marked active.'); $links = $this->xpath('//a[@href = :href and contains(@class, :class)]', array(':href' => Url::fromRoute('common_test.l_active_class', [], $options_query_reverse)->toString(), ':class' => 'is-active')); $this->assertTrue(isset($links[0]), 'A link generated by _l() to the current page with a query string that has matching parameters to the current query string but in a different order is marked active.'); $links = $this->xpath('//a[@href = :href and not(contains(@class, :class))]', array(':href' => Url::fromRoute('common_test.l_active_class', [], $options_no_query)->toString(), ':class' => 'is-active')); $this->assertTrue(isset($links[0]), 'A link generated by _l() to the current page without a query string when the current page has a query string is not marked active.'); // Test adding a custom class in links produced by _l() and #type 'link'. // Test _l(). $class_l = $this->randomMachineName(); $link_l = \Drupal::l($this->randomMachineName(), new Url('', [], ['attributes' => ['class' => [$class_l]]])); $this->assertTrue($this->hasAttribute('class', $link_l, $class_l), format_string('Custom class @class is present on link when requested by l()', array('@class' => $class_l))); // Test #type. $class_theme = $this->randomMachineName(); $type_link = array( '#type' => 'link', '#title' => $this->randomMachineName(), '#url' => Url::fromRoute(''), '#options' => array( 'attributes' => array( 'class' => array($class_theme), ), ), ); $link_theme = drupal_render($type_link); $this->assertTrue($this->hasAttribute('class', $link_theme, $class_theme), format_string('Custom class @class is present on link when requested by #type', array('@class' => $class_theme))); } /** * Tests that link functions support render arrays as 'text'. */ function testLinkRenderArrayText() { // Build a link with _l() for reference. $l = \Drupal::l('foo', Url::fromUri('http://drupal.org')); // Test a renderable array passed to _l(). $renderable_text = array('#markup' => 'foo'); $l_renderable_text = \Drupal::l($renderable_text, Url::fromUri('http://drupal.org')); $this->assertEqual($l_renderable_text, $l); // Test a themed link with plain text 'text'. $type_link_plain_array = array( '#type' => 'link', '#title' => 'foo', '#url' => Url::fromUri('http://drupal.org'), ); $type_link_plain = drupal_render($type_link_plain_array); $this->assertEqual($type_link_plain, $l); // Build a themed link with renderable 'text'. $type_link_nested_array = array( '#type' => 'link', '#title' => array('#markup' => 'foo'), '#url' => Url::fromUri('http://drupal.org'), ); $type_link_nested = drupal_render($type_link_nested_array); $this->assertEqual($type_link_nested, $l); } /** * Checks for class existence in link. * * @param $link * URL to search. * @param $class * Element class to search for. * * @return bool * TRUE if the class is found, FALSE otherwise. */ private function hasAttribute($attribute, $link, $class) { return preg_match('|' . $attribute . '="([^\"\s]+\s+)*' . $class . '|', $link); } /** * Tests UrlHelper::filterQueryParameters(). */ function testDrupalGetQueryParameters() { $original = array( 'a' => 1, 'b' => array( 'd' => 4, 'e' => array( 'f' => 5, ), ), 'c' => 3, ); // First-level exclusion. $result = $original; unset($result['b']); $this->assertEqual(UrlHelper::filterQueryParameters($original, array('b')), $result, "'b' was removed."); // Second-level exclusion. $result = $original; unset($result['b']['d']); $this->assertEqual(UrlHelper::filterQueryParameters($original, array('b[d]')), $result, "'b[d]' was removed."); // Third-level exclusion. $result = $original; unset($result['b']['e']['f']); $this->assertEqual(UrlHelper::filterQueryParameters($original, array('b[e][f]')), $result, "'b[e][f]' was removed."); // Multiple exclusions. $result = $original; unset($result['a'], $result['b']['e'], $result['c']); $this->assertEqual(UrlHelper::filterQueryParameters($original, array('a', 'b[e]', 'c')), $result, "'a', 'b[e]', 'c' were removed."); } /** * Tests UrlHelper::parse(). */ function testDrupalParseUrl() { // Relative, absolute, and external URLs, without/with explicit script path, // without/with Drupal path. foreach (array('', '/', 'http://drupal.org/') as $absolute) { foreach (array('', 'index.php/') as $script) { foreach (array('', 'foo/bar') as $path) { $url = $absolute . $script . $path . '?foo=bar&bar=baz&baz#foo'; $expected = array( 'path' => $absolute . $script . $path, 'query' => array('foo' => 'bar', 'bar' => 'baz', 'baz' => ''), 'fragment' => 'foo', ); $this->assertEqual(UrlHelper::parse($url), $expected, 'URL parsed correctly.'); } } } // Relative URL that is known to confuse parse_url(). $url = 'foo/bar:1'; $result = array( 'path' => 'foo/bar:1', 'query' => array(), 'fragment' => '', ); $this->assertEqual(UrlHelper::parse($url), $result, 'Relative URL parsed correctly.'); // Test that drupal can recognize an absolute URL. Used to prevent attack vectors. $url = 'http://drupal.org/foo/bar?foo=bar&bar=baz&baz#foo'; $this->assertTrue(UrlHelper::isExternal($url), 'Correctly identified an external URL.'); // Test that UrlHelper::parse() does not allow spoofing a URL to force a malicious redirect. $parts = UrlHelper::parse('forged:http://cwe.mitre.org/data/definitions/601.html'); $this->assertFalse(UrlHelper::isValid($parts['path'], TRUE), '\Drupal\Component\Utility\UrlHelper::isValid() correctly parsed a forged URL.'); } /** * Tests external URL handling. */ function testExternalUrls() { $test_url = 'http://drupal.org/'; // Verify external URL can contain a fragment. $url = $test_url . '#drupal'; $result = Url::fromUri($url)->toString(); $this->assertEqual($url, $result, 'External URL with fragment works without a fragment in $options.'); // Verify fragment can be overridden in an external URL. $url = $test_url . '#drupal'; $fragment = $this->randomMachineName(10); $result = Url::fromUri($url, array('fragment' => $fragment))->toString(); $this->assertEqual($test_url . '#' . $fragment, $result, 'External URL fragment is overidden with a custom fragment in $options.'); // Verify external URL can contain a query string. $url = $test_url . '?drupal=awesome'; $result = Url::fromUri($url)->toString(); $this->assertEqual($url, $result); // Verify external URL can be extended with a query string. $url = $test_url; $query = array($this->randomMachineName(5) => $this->randomMachineName(5)); $result = Url::fromUri($url, array('query' => $query))->toString(); $this->assertEqual($url . '?' . http_build_query($query, '', '&'), $result, 'External URL can be extended with a query string in $options.'); // Verify query string can be extended in an external URL. $url = $test_url . '?drupal=awesome'; $query = array($this->randomMachineName(5) => $this->randomMachineName(5)); $result = Url::fromUri($url, array('query' => $query))->toString(); $this->assertEqual($url . '&' . http_build_query($query, '', '&'), $result); } }