Updates to 1.2.0 of the PSR-7 integration test suite, which adds the tests we wrote for mitigating ZF2015-05, and requires a few changes:
When creating the string representation of the URL, we DO NOT normalize the path to remove multiple leading slashes. In its absolute form, this is not necessary.
All normalization is done via getPath(); this mitigates the common XSS scenario.
It adds a test to validate that when using origin-form during a RequestInterface::getRequestTarget() call, it will use the results of getPath(), as this is a scenario where the XSS could also occur.
I have removed one test from UriTest, as it contradicts the first point above. Since the scenario is covered in the PSR-7 integration tests, we are covered.
See php-http/psr7-integration-tests#54 for more details.
Description
Updates to 1.2.0 of the PSR-7 integration test suite, which adds the tests we wrote for mitigating ZF2015-05, and requires a few changes:
getPath(); this mitigates the common XSS scenario.RequestInterface::getRequestTarget()call, it will use the results ofgetPath(), as this is a scenario where the XSS could also occur.I have removed one test from
UriTest, as it contradicts the first point above. Since the scenario is covered in the PSR-7 integration tests, we are covered.See php-http/psr7-integration-tests#54 for more details.