Add helper to escape URLs.

The escaping makes the URL safe for display and for use in HTML element
attributes (such as href="..." etc), but does not guarantee that the URL
itself is valid after conversion. This should be good enough for
mitigating XSS issues caused by injecting html or javascript into a URL.
Also probably good enough for _most_ normal URLs, but there may be
devils hidden in the details somewhere.

1 files changed, 20 insertions, 0 deletions

diff --git a/tests/unit/AntiXSSTest.php b/tests/unit/AntiXSSTest.php
index b45042a1e..09642726f 100644
--- a/tests/unit/AntiXSSTest.php
+++ b/tests/unit/AntiXSSTest.php
@@ -24,6 +24,26 @@ class AntiXSSTest extends TestCase {
 		$this->assertEquals("<submit type="button" onclick="alert('failed!');" />", $escapedString);
 	}
 
+  /**
+   * @dataProvider urlTestProvider
+   */
+  public function testEscapeURL($url, $expected) : void {
+    $this->assertEquals($expected, escape_url($url));
+  }
+
+  public function urlTestProvider() : array {
+    return [
+      [
+        "https://example.com/settings/calendar/?f=&rpath=https://example.com/cdav/calendar'><script>alert('boom')</script>",
+        "https://example.com/settings/calendar/?f=&amp;rpath=https://example.com/cdav/calendar&apos;&gt;&lt;script&gt;alert(&apos;boom&apos;)&lt;/script&gt;"
+      ],
+      [
+        "settings/calendar/?f=&rpath=https://example.com'+accesskey=x+onclick=alert(/boom/);a='",
+        "settings/calendar/?f=&amp;rpath=https://example.com&apos;+accesskey=x+onclick=alert(/boom/);a=&apos;"
+      ],
+    ];
+  }
+
 	/**
 	 *xmlify and unxmlify
 	 */