Updated Drupal to 8.6. This goes with the following updates because it's possible...

[yaffs-website] / web / core / modules / system / src / Tests / Routing / RouterTest.php

diff --git a/web/core/modules/system/src/Tests/Routing/RouterTest.php b/web/core/modules/system/src/Tests/Routing/RouterTest.php
index 38d7ecbe04c4d7da7438fecc6846ad1b8fc05ed5..8d7c43e86a883a2b06167a3a9d27dacb615ce771 100644 (file)
--- a/web/core/modules/system/src/Tests/Routing/RouterTest.php
+++ b/web/core/modules/system/src/Tests/Routing/RouterTest.php
@@ -53,7 +53,6 @@ class RouterTest extends WebTestBase {
     // a page inception style.  This test verifies that is not happening.
     $this->assertNoPattern('#</body>.*</body>#s', 'There was no double-page effect from a misrendered subrequest.');
 
-
     // Confirm that route-level access check's cacheability is applied to the
     // X-Drupal-Cache-Contexts and X-Drupal-Cache-Tags headers.
     // 1. controller result: render array, globally cacheable route access.
@@ -321,6 +320,13 @@ class RouterTest extends WebTestBase {
     $this->drupalGet($url);
     $this->assertEqual(1, $this->redirectCount, $url . " redirected to " . $this->url);
     $this->assertUrl($request->getUriForPath('/router_test/test1') . '?qs=test');
+
+    // Ensure that external URLs in destination query params are not redirected
+    // to.
+    $url = $request->getUriForPath('/////////////////////////////////////////////////router_test/test1') . '?qs=test&destination=http://www.example.com%5c@drupal8alt.test';
+    $this->drupalGet($url);
+    $this->assertEqual(1, $this->redirectCount, $url . " redirected to " . $this->url);
+    $this->assertUrl($request->getUriForPath('/router_test/test1') . '?qs=test');
   }
 
 }