[SECURITY] Disallow javascript & data scheme in URL link handler
[Packages/TYPO3.CMS.git] / typo3 / sysext / core / Tests / Unit / LinkHandling / UrlLinkHandlerTest.php
1 <?php
2 namespace TYPO3\CMS\Core\Tests\Unit\LinkHandling;
3
4 /*
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 use TYPO3\CMS\Core\LinkHandling\UrlLinkHandler;
18 use TYPO3\TestingFramework\Core\Unit\UnitTestCase;
19
20 class UrlLinkHandlerTest extends UnitTestCase
21 {
22
23 /**
24 * Data to resolve strings to arrays and vice versa, external, mail, page
25 *
26 * @return array
27 */
28 public function resolveParametersForNonFilesDataProvider()
29 {
30 return [
31 'URL without a scheme' => [
32 [
33 'url' => 'www.have.you/ever?did=this'
34 ],
35 [
36 'url' => 'http://www.have.you/ever?did=this'
37 ],
38 'http://www.have.you/ever?did=this'
39 ],
40 'http URL' => [
41 [
42 'url' => 'http://www.have.you/ever?did=this'
43 ],
44 [
45 'url' => 'http://www.have.you/ever?did=this'
46 ],
47 'http://www.have.you/ever?did=this'
48 ],
49 'https URL' => [
50 [
51 'url' => 'https://www.have.you/ever?did=this'
52 ],
53 [
54 'url' => 'https://www.have.you/ever?did=this'
55 ],
56 'https://www.have.you/ever?did=this'
57 ],
58 'https URL with port' => [
59 [
60 'url' => 'https://www.have.you:8088/ever?did=this'
61 ],
62 [
63 'url' => 'https://www.have.you:8088/ever?did=this'
64 ],
65 'https://www.have.you:8088/ever?did=this'
66 ],
67 'ftp URL' => [
68 [
69 'url' => 'ftp://www.have.you/ever?did=this'
70 ],
71 [
72 'url' => 'ftp://www.have.you/ever?did=this'
73 ],
74 'ftp://www.have.you/ever?did=this'
75 ],
76 'afp URL' => [
77 [
78 'url' => 'afp://www.have.you/ever?did=this'
79 ],
80 [
81 'url' => 'afp://www.have.you/ever?did=this'
82 ],
83 'afp://www.have.you/ever?did=this'
84 ],
85 'sftp URL' => [
86 [
87 'url' => 'sftp://nice:andsecret@www.have.you:23/ever?did=this'
88 ],
89 [
90 'url' => 'sftp://nice:andsecret@www.have.you:23/ever?did=this'
91 ],
92 'sftp://nice:andsecret@www.have.you:23/ever?did=this'
93 ],
94 'tel URL' => [
95 ['url' => 'tel:+1-2345-6789'],
96 ['url' => 'tel:+1-2345-6789'],
97 'tel:+1-2345-6789'
98 ],
99 'javascript URL (denied)' => [
100 ['url' => 'javascript:alert(\'XSS\')'],
101 ['url' => ''],
102 ''
103 ],
104 'data URL (denied)' => [
105 ['url' => 'data:text/html;base64,SGVsbG8sIFdvcmxkIQ%3D%3D'],
106 ['url' => ''],
107 ''
108 ],
109 ];
110 }
111
112 /**
113 * @test
114 *
115 * @param string $input
116 * @param array $expected
117 * @param string $finalString
118 *
119 * @dataProvider resolveParametersForNonFilesDataProvider
120 */
121 public function resolveReturnsSplitParameters($input, $expected, $finalString)
122 {
123 $subject = new UrlLinkHandler();
124 $this->assertEquals($expected, $subject->resolveHandlerData($input));
125 }
126
127 /**
128 * @test
129 *
130 * @param string $input
131 * @param array $parameters
132 * @param string $expected
133 *
134 * @dataProvider resolveParametersForNonFilesDataProvider
135 */
136 public function splitParametersToUnifiedIdentifier($input, $parameters, $expected)
137 {
138 $subject = new UrlLinkHandler();
139 $this->assertEquals($expected, $subject->asString($parameters));
140 }
141 }