Hi,
I noticed that CommonURLUnitTest::testLXSS() test case checks URL only. It would be great to extend this method to check a title also.

E.g. We can override theme_link() in our own theme. And we can miss check_plain() for a title of the link. When we run this test case: CommonURLUnitTest::testLXSS() it will pass, even if a title is vulnerable (fail is expected).

Comments

alan-ps created an issue.

alan-ps’s picture

I think we can add the something like this:

   function testLXSS() {
-    $text = $this->randomName();
-    $path = "<SCRIPT>alert('XSS')</SCRIPT>";
+    $text = "<SCRIPT>alert('Title XSS')</SCRIPT>";
+    $path = "<SCRIPT>alert('URL XSS')</SCRIPT>";
+
     $link = l($text, $path);
+    $sanitized_text = check_plain($text);
     $sanitized_path = check_url(url($path));
+
+    $this->assertTrue(strpos($link, $sanitized_text) !== FALSE, format_string('XSS attack @text was filtered', array('@text' => $text)));
     $this->assertTrue(strpos($link, $sanitized_path) !== FALSE, format_string('XSS attack @path was filtered', array('@path' => $path)));
   }