diff -u b/core/tests/Drupal/KernelTests/Component/Utility/SafeMarkupKernelTest.php b/core/tests/Drupal/KernelTests/Component/Utility/SafeMarkupKernelTest.php --- b/core/tests/Drupal/KernelTests/Component/Utility/SafeMarkupKernelTest.php +++ b/core/tests/Drupal/KernelTests/Component/Utility/SafeMarkupKernelTest.php @@ -65,9 +65,12 @@ public function providerTestSafeMarkup() { $data = []; $data['routed-url'] = ['Hey giraffe MUUUH', [':url' => ['route:system.admin']], 'Hey giraffe MUUUH']; + $data['routed-with-query'] = ['Hey giraffe MUUUH', [':url' => ['route:system.admin', ['query' => ['bar' => 'baz#']]]], 'Hey giraffe MUUUH']; + $data['routed-with-fragment'] = ['Hey giraffe MUUUH', [':url' => ['route:system.admin', ['fragment' => 'bar<']]], 'Hey giraffe MUUUH']; + $data['unrouted-url'] = ['Hey giraffe MUUUH', [':url' => ['base://foo']], 'Hey giraffe MUUUH']; $data['unrouted-with-query'] = ['Hey giraffe MUUUH', [':url' => ['base://foo', ['query' => ['bar' => 'baz#']]]], 'Hey giraffe MUUUH']; - $data['unrouted-with-fragment'] = ['Hey giraffe MUUUH', [':url' => ['base://foo', ['fragment' => 'bar&']]], 'Hey giraffe MUUUH']; - $data['mailto-protocol'] = ['Hey giraffe MUUUH', [':url' => ['mailto://test@example.com']], 'Hey giraffe MUUUH']; + $data['unrouted-with-fragment'] = ['Hey giraffe MUUUH', [':url' => ['base://foo', ['fragment' => 'bar<']]], 'Hey giraffe MUUUH']; + $data['mailto-protocol'] = ['Hey giraffe MUUUH', [':url' => ['mailto:test@example.com']], 'Hey giraffe MUUUH']; return $data; } @@ -87,6 +90,8 @@ $data = []; $data['js-protocol'] = ['Hey giraffe MUUUH', [':url' => ["javascript:alert('xss')"]]]; $data['js-with-fromCharCode'] = ['Hey giraffe MUUUH', [':url' => ["javascript:alert(String.fromCharCode(88,83,83))"]]]; + $data['non-url-with-colon'] = ['Hey giraffe MUUUH', [':url' => ["llamas: they are not URLs"]]]; + $data['non-url-with-html'] = ['Hey giraffe MUUUH', [':url' => ['not a url']]]; return $data; } diff -u b/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php b/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php --- b/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php +++ b/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php @@ -238,9 +238,16 @@ $tests['external-url'] = ['Simple text giraffe', [':url' => 'http://example.com?foo&bar'], 'Simple text giraffe', 'Support for filtering bad protocols', TRUE]; $tests['relative-url'] = ['Simple text giraffe', [':url' => '/node/1?foo&bar'], 'Simple text giraffe', 'Support for filtering bad protocols', TRUE]; $tests['fragment-with-special-chars'] = ['Simple text giraffe', [':url' => 'http://example.com/#<'], 'Simple text giraffe', 'Support for filtering bad protocols', TRUE]; - $tests['mailto-protocol'] = ['Hey giraffe MUUUH', [':url' => 'mailto://test@example.com'], 'Hey giraffe MUUUH', '', TRUE]; + $tests['mailto-protocol'] = ['Hey giraffe MUUUH', [':url' => 'mailto:test@example.com'], 'Hey giraffe MUUUH', '', TRUE]; $tests['js-with-fromCharCode'] = ['Hey giraffe MUUUH', [':url' => "javascript:alert(String.fromCharCode(88,83,83))"], 'Hey giraffe MUUUH', '', TRUE]; + // Test some "URL" values that are not RFC 3986 compliant URLs. The result + // of SafeMarkup::format() should still be valid HTML (other than the + // value of the "href" attribute not being a valid URL), and not + // vulnerable to XSS. + $tests['non-url-with-colon'] = ['Hey giraffe MUUUH', [':url' => "llamas: they are not URLs"], 'Hey giraffe MUUUH', '', TRUE]; + $tests['non-url-with-html'] = ['Hey giraffe MUUUH', [':url' => "not a url"], 'Hey giraffe MUUUH', '', TRUE]; + return $tests; }