stripDangerousProtocols example


  public function testBadProtocolStripping() {
    // Ensure that check_url() strips out harmful protocols, and encodes for     // HTML.     // Ensure \Drupal\Component\Utility\UrlHelper::stripDangerousProtocols() can     // be used to return a plain-text string stripped of harmful protocols.     $url = 'javascript:http://www.example.com/?x=1&y=2';
    $expected_plain = 'http://www.example.com/?x=1&y=2';
    $expected_html = 'http://www.example.com/?x=1&y=2';
    $this->assertSame($expected_html, UrlHelper::filterBadProtocol($url), '\\Drupal\\Component\\Utility\\UrlHelper::filterBadProtocol() filters a URL and encodes it for HTML.');
    $this->assertSame($expected_plain, UrlHelper::stripDangerousProtocols($url), '\\Drupal\\Component\\Utility\\UrlHelper::stripDangerousProtocols() filters a URL and returns plain text.');

  }

}

  public function testStripDangerousProtocols($uri$expected$protocols) {
    UrlHelper::setAllowedProtocols($protocols);
    $stripped = UrlHelper::stripDangerousProtocols($uri);
    $this->assertEquals($expected$stripped);
  }

  /** * Provides data for self::testStripDangerousProtocols(). * * @return array */
  public static function providerTestStripDangerousProtocols() {
    return [
      ['javascript://example.com', '//example.com', ['http', 'https']],
      

    switch ($type) {
      case 'xss':
        $value = Xss::filter($value);
        break;

      case 'xss_admin':
        $value = Xss::filterAdmin($value);
        break;

      case 'url':
        $value = Html::escape(UrlHelper::stripDangerousProtocols($value));
        break;

      default:
        $value = Html::escape($value);
        break;
    }
    return ViewsRenderPipelineMarkup::create($value);
  }

  /** * Transform a string by a certain method. * * @param $string * The input you want to transform. * @param $option * How do you want to transform it, possible values: * - upper: Uppercase the string. * - lower: lowercase the string. * - ucfirst: Make the first char uppercase. * - ucwords: Make each word in the string uppercase. * * @return string * The transformed string. */
          // \Drupal\Component\Render\MarkupInterface, for example strings will           // be escaped.           // Strings that are safe within HTML fragments, but not within other           // contexts, may still be an instance of           // \Drupal\Component\Render\MarkupInterface, so this placeholder type           // must not be used within HTML attributes, JavaScript, or CSS.           $args[$key] = static::placeholderEscape($value);
          break;

        case ':':
          // Strip URL protocols that can be XSS vectors.           $value = UrlHelper::stripDangerousProtocols($value);
          // Escape unconditionally, without checking whether the value is an           // instance of \Drupal\Component\Render\MarkupInterface. This forces           // characters that are unsafe for use in an "href" HTML attribute to           // be encoded. If a caller wants to pass a value that is extracted           // from HTML and therefore is already HTML encoded, it must invoke           // \Drupal\Component\Render\OutputStrategyInterface::renderFromHtml()           // on it prior to passing it in as a placeholder value of this type.           // @todo Add some advice and stronger warnings.           // https://www.drupal.org/node/2569041.           $args[$key] = Html::escape($value);
          break;

        
    return (str_starts_with($path, '//'))
      // Leading control characters may be ignored or mishandled by browsers,       // so assume such a path may lead to an external location. The \p{C}       // character class matches all UTF-8 control, unassigned, and private       // characters.       || (preg_match('/^\p{C}/u', $path) !== 0)
      // Avoid calling static::stripDangerousProtocols() if there is any slash       // (/), hash (#) or question_mark (?) before the colon (:) occurrence -       // if any - as this would clearly mean it is not a URL.       || ($colonpos !== FALSE
        && !preg_match('![/?#]!', substr($path, 0, $colonpos))
        && static::stripDangerousProtocols($path) == $path);
  }

  /** * Determines if an external URL points to this installation. * * @param string $url * A string containing an external URL, such as "http://example.com/foo". * @param string $base_url * The base URL string to check against, such as "http://example.com/" * * @return bool * TRUE if the URL has the same domain and base path. * * @throws \InvalidArgumentException * Exception thrown when either $url or $base_url are not fully qualified. */
Home | Imprint | This part of the site doesn't use cookies.