[ticket/security/211] Make sure website URL only uses http & https schemes

SECURITY-211
author: Marc Alexander <admin@m-a-styles.de> 2017-07-22 17:26:41 +0200
committer: Marc Alexander <admin@m-a-styles.de> 2017-07-22 17:38:04 +0200
commit: 882a3c383103802c491404032c5d267e4f5271a0 (patch)
tree: 75267473a962e822fb7c4daf0d98e2b799782ea2 /tests/profilefields
parent: Merge pull request #4872 from Nicofuma/ticket/15285 (diff)
download: phpbb-882a3c383103802c491404032c5d267e4f5271a0.tar.gz
phpbb-882a3c383103802c491404032c5d267e4f5271a0.tar.bz2
phpbb-882a3c383103802c491404032c5d267e4f5271a0.zip
1 files changed, 13 insertions, 0 deletions
diff --git a/tests/profilefields/type_url_test.php b/tests/profilefields/type_url_test.php
index cc37f04f30..aaba227348 100644
--- a/tests/profilefields/type_url_test.php
+++ b/tests/profilefields/type_url_test.php
@@ -89,6 +89,19 @@ class phpbb_profilefield_type_url_test extends phpbb_test_case
 				'FIELD_INVALID_URL-field',
 				'Field should reject invalid URL having multi value parameters',
 			),
+			// Not allowed schemes
+			array(
+				'ftp://example.com/',
+				array(),
+				'FIELD_INVALID_URL-field',
+				'Field should reject invalid URL having multi value parameters',
+			),
+			array(
+				'javascript://alert.com',
+				array(),
+				'FIELD_INVALID_URL-field',
+				'Field should reject invalid URL having multi value parameters',
+			),
 
 			// IDN url type profilefields
 			array(
author	Marc Alexander <admin@m-a-styles.de>	2017-07-22 17:26:41 +0200
committer	Marc Alexander <admin@m-a-styles.de>	2017-07-22 17:38:04 +0200
commit	882a3c383103802c491404032c5d267e4f5271a0 (patch)
tree	75267473a962e822fb7c4daf0d98e2b799782ea2 /tests/profilefields
parent	Merge pull request #4872 from Nicofuma/ticket/15285 (diff)
download	phpbb-882a3c383103802c491404032c5d267e4f5271a0.tar.gz phpbb-882a3c383103802c491404032c5d267e4f5271a0.tar.bz2 phpbb-882a3c383103802c491404032c5d267e4f5271a0.zip