filter_xss_bad_protocol is called hundreds of times on some pages.

I should mention that with the patch, the function calls on that same page go down to 2. Here's kcachegrind screenshots.

Proper status.

We don't have proper tests for l() and url() yet, unless I've missed them. Could do with some reviews on the logic though as well.

This would've been a security hole when $options['external'] was set. But here's a slightly modified version with some initial tests for l() - which as far as I can see looks quite solid. Could do with some serious review from someone with better XSS chops than me.

Discussed this with chx and lyricnz in #drupal - I think we should centralise all the XSS examples from http://ha.ckers.org/xss.html in either common.test or drupalWebTestCase so we can do foreach ($this->xss_examples as $xss) wherever we need to do unit tests with functions which are supposed to filter XSS.

That should reduce a lot of duplication. Will try to get a patch started later tonight, but of course anyone else is welcome to.

Here it is with a better test using neclimdul's script. Both HEAD and the patch pass all tests. Adds CommonXSSTestCase() so we can use it for other functions.

$options['external'] isn't a valid option for l() - although it's used in core twice (powered by Drupal and a link to OpenID) which probably needs tidying up, so this is the same patch as #1 + the tests.

Re-rolled.

grrr.

Discussed this with neclimidul in IRC - since some of these attacks assume they'll be partially filtered, just checking for the same string might not be sufficient. So instead I've modified the test so that instead we confirm that the output of check_url(url($path)) is found inside the output of l(). This pretty much ensures that the output from l() is identical to what we'd get in the existing code - and means that since the test still passes we really, really don't need the extra call.

Well the idea there was to confirm that whether we wrap the url() call in check_url() or not, we get the same result - confirming that the call is redundant. I've got my eye on some drupal_attributes() calls as well since we do that even if we've only added 'active' as a class - and again it'd be good to have a sanity check just to make sure there's no over-optimisation there.

We obviously need full unit tests for check_plain() check_url(), filter_xss_admin() etc. to ensure they actually escape properly - but while I'm hoping the examples in this one will be useful for those tests, I don't think they're needed for this patch.

Re-rolled with only one example. Will switch the XSSTestCase into a new issue so we can add it along with proper tests.