public function testLinkXSS() { // Test link generator.
$text =
$this->
randomMachineName();
$path = "<SCRIPT>alert('XSS')</SCRIPT>";
$encoded_path = "3CSCRIPT%3Ealert%28%27XSS%27%29%3C/SCRIPT%3E";
$link = Link::
fromTextAndUrl($text, Url::
fromUserInput('/' .
$path))->
toString();
$this->
assertStringContainsString($encoded_path,
$link,
new FormattableMarkup('XSS attack @path was filtered by \Drupal\Core\Utility\LinkGeneratorInterface::generate().',
['@path' =>
$path]));
$this->
assertStringNotContainsString($path,
$link,
new FormattableMarkup('XSS attack @path was filtered by \Drupal\Core\Utility\LinkGeneratorInterface::generate().',
['@path' =>
$path]));
// Test \Drupal\Core\Url.
$link = Url::
fromUri('base:' .
$path)->
toString();
$this->
assertStringContainsString($encoded_path,
$link,
new FormattableMarkup('XSS attack @path was filtered by #theme',
['@path' =>
$path]));
$this->
assertStringNotContainsString($path,
$link,
new FormattableMarkup('XSS attack @path was filtered by #theme',
['@path' =>
$path]));
} /**
* Tests that #type=link bubbles outbound route/path processors' metadata.
*/
public function testLinkBubbleableMetadata() { \Drupal::
service('module_installer'
)->
install(['user'
]);
$cases =
[ [