3 namespace Drupal\Tests\system\Functional\Routing;
6 use Drupal\Tests\BrowserTestBase;
9 * Tests for $_GET['destination'] and $_REQUEST['destination'] validation.
11 * Note: This tests basically the same as
12 * \Drupal\Tests\Core\EventSubscriber\RedirectResponseSubscriberTest::testSanitizeDestinationForGet
13 * \Drupal\Tests\Core\EventSubscriber\RedirectResponseSubscriberTest::testSanitizeDestinationForPost
14 * but we want to be absolutely sure it works.
18 class DestinationTest extends BrowserTestBase {
23 public static $modules = ['system_test'];
26 * Tests that $_GET/$_REQUEST['destination'] only contain internal URLs.
28 public function testDestination() {
29 $http_client = $this->getHttpClient();
30 $session = $this->getSession();
36 'message' => "Standard internal example node path is present in the 'destination' parameter.",
39 'input' => '/example.com',
40 'output' => '/example.com',
41 'message' => 'Internal path with one leading slash is allowed.',
44 'input' => '//example.com/test',
46 'message' => 'External URL without scheme is not allowed.',
49 'input' => 'example:test',
50 'output' => 'example:test',
51 'message' => 'Internal URL using a colon is allowed.',
54 'input' => 'http://example.com',
56 'message' => 'External URL is not allowed.',
59 'input' => 'javascript:alert(0)',
60 'output' => 'javascript:alert(0)',
61 'message' => 'Javascript URL is allowed because it is treated as an internal URL.',
64 foreach ($test_cases as $test_case) {
65 // Test $_GET['destination'].
66 $this->drupalGet('system-test/get-destination', ['query' => ['destination' => $test_case['input']]]);
67 $this->assertIdentical($test_case['output'], $session->getPage()->getContent(), $test_case['message']);
68 // Test $_REQUEST['destination'].
69 $post_output = $http_client->request('POST', $this->buildUrl('system-test/request-destination'), [
70 'form_params' => ['destination' => $test_case['input']],
72 $this->assertIdentical($test_case['output'], (string) $post_output->getBody(), $test_case['message']);
75 // Make sure that 404 pages do not populate $_GET['destination'] with
77 \Drupal::configFactory()->getEditable('system.site')->set('page.404', '/system-test/get-destination')->save();
78 $this->drupalGet('http://example.com', ['external' => FALSE]);
79 $this->assertResponse(404);
80 $this->assertIdentical(Url::fromRoute('<front>')->toString(), $session->getPage()->getContent(), 'External URL is not allowed on 404 pages.');