Problem/Motivation

This is a follow-up to: #2990723-14: Security improvement for l() function.

Current implementation of the CommonXssUnitTest::testBadProtocolStripping() does only check if javascript: protocol is stripped. It doesn't check all allowed protocols whether they are kept or stripped (for example telnet). We have a variable filter_allowed_protocols which whitelists more protocols to be allowed.

FilterUnitTestCase::testUrlFilter() is already doing such extended check. It would be great to introduce this extended protocol testing also to the CommonXssUnitTest::testBadProtocolStripping() test.

Steps to reproduce

Proposed resolution

Add an array of strings with various protocols (similar to what is used in the FilterUnitTestCase::testUrlFilter()) to test the stripping by the drupal_strip_dangerous_protocols() completely. Include at least all allowed protocols.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

CommentFileSizeAuthor
#2 3308471-2.patch2.21 KBpoker10

Comments

poker10 created an issue. See original summary.

poker10’s picture

poker10 commented
Status: Active » Needs review
StatusFileSize
new 3308471-2.patch2.21 KB

Added a list of all allowed and two disallowed protocols to the test.

mcdruid’s picture

mcdruid commented
Status: Needs review » Reviewed & tested by the community
Issue tags: +RTBM

Similar test in D10:

https://git.drupalcode.org/project/drupal/-/blob/10.0.9/core/modules/fil...

This LGTM, thanks!

  • poker10 committed 9ce7214b on 7.x 
    Issue #3308471 by poker10: [D7] Update CommonXssUnitTest::...
poker10’s picture

poker10 commented
Status: Reviewed & tested by the community » Fixed
Issue tags: -RTBM

Committed, thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.