CodeExplorer
You are a developer and looking for Shopware projects?
Apply Now!
stripDangerousProtocols example
public function testBadProtocolStripping() {
// Ensure that check_url() strips out harmful protocols, and encodes for // HTML. // Ensure \Drupal\Component\Utility\UrlHelper::stripDangerousProtocols() can // be used to return a plain-text string stripped of harmful protocols. $url = 'javascript:http://www.example.com/?x=1&y=2';
$expected_plain = 'http://www.example.com/?x=1&y=2';
$expected_html = 'http://www.example.com/?x=1&y=2';
$this->assertSame($expected_html, UrlHelper::filterBadProtocol($url), '\\Drupal\\Component\\Utility\\UrlHelper::filterBadProtocol() filters a URL and encodes it for HTML.');
$this->assertSame($expected_plain, UrlHelper::stripDangerousProtocols($url), '\\Drupal\\Component\\Utility\\UrlHelper::stripDangerousProtocols() filters a URL and returns plain text.');
}
}
public function testStripDangerousProtocols($uri, $expected, $protocols) {
UrlHelper::setAllowedProtocols($protocols);
$stripped = UrlHelper::stripDangerousProtocols($uri);
$this->assertEquals($expected, $stripped);
}
/** * Provides data for self::testStripDangerousProtocols(). * * @return array */
public static function providerTestStripDangerousProtocols() {
return [
['javascript://example.com', '//example.com', ['http', 'https']],
switch ($type) {
case 'xss':
$value = Xss::filter($value);
break;
case 'xss_admin':
$value = Xss::filterAdmin($value);
break;
case 'url':
$value = Html::escape(UrlHelper::stripDangerousProtocols($value));
break;
default:
$value = Html::escape($value);
break;
}
return ViewsRenderPipelineMarkup::create($value);
}
/** * Transform a string by a certain method. * * @param $string * The input you want to transform. * @param $option * How do you want to transform it, possible values: * - upper: Uppercase the string. * - lower: lowercase the string. * - ucfirst: Make the first char uppercase. * - ucwords: Make each word in the string uppercase. * * @return string * The transformed string. */
// \Drupal\Component\Render\MarkupInterface, for example strings will
// be escaped.
// Strings that are safe within HTML fragments, but not within other
// contexts, may still be an instance of
// \Drupal\Component\Render\MarkupInterface, so this placeholder type
// must not be used within HTML attributes, JavaScript, or CSS.
$args[$key] = static::placeholderEscape($value);
break;
case ':':
// Strip URL protocols that can be XSS vectors. $value = UrlHelper::stripDangerousProtocols($value);
// Escape unconditionally, without checking whether the value is an // instance of \Drupal\Component\Render\MarkupInterface. This forces // characters that are unsafe for use in an "href" HTML attribute to // be encoded. If a caller wants to pass a value that is extracted // from HTML and therefore is already HTML encoded, it must invoke // \Drupal\Component\Render\OutputStrategyInterface::renderFromHtml() // on it prior to passing it in as a placeholder value of this type. // @todo Add some advice and stronger warnings. // https://www.drupal.org/node/2569041. $args[$key] = Html::escape($value);
break;
break;
case ':':
// Strip URL protocols that can be XSS vectors. $value = UrlHelper::stripDangerousProtocols($value);
// Escape unconditionally, without checking whether the value is an // instance of \Drupal\Component\Render\MarkupInterface. This forces // characters that are unsafe for use in an "href" HTML attribute to // be encoded. If a caller wants to pass a value that is extracted // from HTML and therefore is already HTML encoded, it must invoke // \Drupal\Component\Render\OutputStrategyInterface::renderFromHtml() // on it prior to passing it in as a placeholder value of this type. // @todo Add some advice and stronger warnings. // https://www.drupal.org/node/2569041. $args[$key] = Html::escape($value);
break;
return (str_starts_with($path, '//'))
// Leading control characters may be ignored or mishandled by browsers, // so assume such a path may lead to an external location. The \p{C} // character class matches all UTF-8 control, unassigned, and private // characters. || (preg_match('/^\p{C}/u', $path) !== 0)
// Avoid calling static::stripDangerousProtocols() if there is any slash // (/), hash (#) or question_mark (?) before the colon (:) occurrence - // if any - as this would clearly mean it is not a URL. || ($colonpos !== FALSE
&& !preg_match('![/?#]!', substr($path, 0, $colonpos))
&& static::stripDangerousProtocols($path) == $path);
}
/** * Determines if an external URL points to this installation. * * @param string $url * A string containing an external URL, such as "http://example.com/foo". * @param string $base_url * The base URL string to check against, such as "http://example.com/" * * @return bool * TRUE if the URL has the same domain and base path. * * @throws \InvalidArgumentException * Exception thrown when either $url or $base_url are not fully qualified. */
// Leading control characters may be ignored or mishandled by browsers, // so assume such a path may lead to an external location. The \p{C} // character class matches all UTF-8 control, unassigned, and private // characters. || (preg_match('/^\p{C}/u', $path) !== 0)
// Avoid calling static::stripDangerousProtocols() if there is any slash // (/), hash (#) or question_mark (?) before the colon (:) occurrence - // if any - as this would clearly mean it is not a URL. || ($colonpos !== FALSE
&& !preg_match('![/?#]!', substr($path, 0, $colonpos))
&& static::stripDangerousProtocols($path) == $path);
}
/** * Determines if an external URL points to this installation. * * @param string $url * A string containing an external URL, such as "http://example.com/foo". * @param string $base_url * The base URL string to check against, such as "http://example.com/" * * @return bool * TRUE if the URL has the same domain and base path. * * @throws \InvalidArgumentException * Exception thrown when either $url or $base_url are not fully qualified. */