Mercurial > hg > isophonics-drupal-site

annotate core/modules/node/tests/src/Functional/NodeTitleXSSTest.php @ 0:4c8ae668cc8c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Initial import (non-working)
author Chris Cannam
date Wed, 29 Nov 2017 16:09:58 +0000
parents
children
rev   line source
Chris@0 1 <?php
Chris@0 2
Chris@0 3 namespace Drupal\Tests\node\Functional;
Chris@0 4
Chris@0 5 use Drupal\Component\Utility\Html;
Chris@0 6
Chris@0 7 /**
Chris@0 8 * Create a node with dangerous tags in its title and test that they are
Chris@0 9 * escaped.
Chris@0 10 *
Chris@0 11 * @group node
Chris@0 12 */
Chris@0 13 class NodeTitleXSSTest extends NodeTestBase {
Chris@0 14
Chris@0 15 /**
Chris@0 16 * Tests XSS functionality with a node entity.
Chris@0 17 */
Chris@0 18 public function testNodeTitleXSS() {
Chris@0 19 // Prepare a user to do the stuff.
Chris@0 20 $web_user = $this->drupalCreateUser(['create page content', 'edit any page content']);
Chris@0 21 $this->drupalLogin($web_user);
Chris@0 22
Chris@0 23 $xss = '<script>alert("xss")</script>';
Chris@0 24 $title = $xss . $this->randomMachineName();
Chris@0 25 $edit = [];
Chris@0 26 $edit['title[0][value]'] = $title;
Chris@0 27
Chris@0 28 $this->drupalPostForm('node/add/page', $edit, t('Preview'));
Chris@0 29 $this->assertNoRaw($xss, 'Harmful tags are escaped when previewing a node.');
Chris@0 30
Chris@0 31 $settings = ['title' => $title];
Chris@0 32 $node = $this->drupalCreateNode($settings);
Chris@0 33
Chris@0 34 $this->drupalGet('node/' . $node->id());
Chris@0 35 // Titles should be escaped.
Chris@0 36 $this->assertRaw('<title>' . Html::escape($title) . ' | Drupal</title>', 'Title is displayed when viewing a node.');
Chris@0 37 $this->assertNoRaw($xss, 'Harmful tags are escaped when viewing a node.');
Chris@0 38
Chris@0 39 $this->drupalGet('node/' . $node->id() . '/edit');
Chris@0 40 $this->assertNoRaw($xss, 'Harmful tags are escaped when editing a node.');
Chris@0 41 }
Chris@0 42
Chris@0 43 }