From 8c19ab8f9f47a522ad2b929495f3b5821efd2f34 Mon Sep 17 00:00:00 2001
From: Harald Eilertsen <haraldei@anduin.net>
Date: Sun, 20 Mar 2022 12:57:42 +0100
Subject: Add helper to escape URLs.

The escaping makes the URL safe for display and for use in HTML element
attributes (such as href="..." etc), but does not guarantee that the URL
itself is valid after conversion. This should be good enough for
mitigating XSS issues caused by injecting html or javascript into a URL.
Also probably good enough for _most_ normal URLs, but there may be
devils hidden in the details somewhere.
---
 tests/unit/AntiXSSTest.php | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

(limited to 'tests')

diff --git a/tests/unit/AntiXSSTest.php b/tests/unit/AntiXSSTest.php
index b45042a1e..09642726f 100644
--- a/tests/unit/AntiXSSTest.php
+++ b/tests/unit/AntiXSSTest.php
@@ -24,6 +24,26 @@ class AntiXSSTest extends TestCase {
 		$this->assertEquals("&lt;submit type=&quot;button&quot; onclick=&quot;alert('failed!');&quot; /&gt;", $escapedString);
 	}
 
+  /**
+   * @dataProvider urlTestProvider
+   */
+  public function testEscapeURL($url, $expected) : void {
+    $this->assertEquals($expected, escape_url($url));
+  }
+
+  public function urlTestProvider() : array {
+    return [
+      [
+        "https://example.com/settings/calendar/?f=&rpath=https://example.com/cdav/calendar'><script>alert('boom')</script>",
+        "https://example.com/settings/calendar/?f=&amp;rpath=https://example.com/cdav/calendar&apos;&gt;&lt;script&gt;alert(&apos;boom&apos;)&lt;/script&gt;"
+      ],
+      [
+        "settings/calendar/?f=&rpath=https://example.com'+accesskey=x+onclick=alert(/boom/);a='",
+        "settings/calendar/?f=&amp;rpath=https://example.com&apos;+accesskey=x+onclick=alert(/boom/);a=&apos;"
+      ],
+    ];
+  }
+
 	/**
 	 *xmlify and unxmlify
 	 */
-- 
cgit v1.2.3