|
Chris@0
|
1 <?php
|
|
Chris@0
|
2
|
|
Chris@0
|
3 namespace Drupal\Tests\node\Functional;
|
|
Chris@0
|
4
|
|
Chris@0
|
5 use Drupal\Component\Utility\Html;
|
|
Chris@0
|
6
|
|
Chris@0
|
7 /**
|
|
Chris@0
|
8 * Create a node with dangerous tags in its title and test that they are
|
|
Chris@0
|
9 * escaped.
|
|
Chris@0
|
10 *
|
|
Chris@0
|
11 * @group node
|
|
Chris@0
|
12 */
|
|
Chris@0
|
13 class NodeTitleXSSTest extends NodeTestBase {
|
|
Chris@0
|
14
|
|
Chris@0
|
15 /**
|
|
Chris@0
|
16 * Tests XSS functionality with a node entity.
|
|
Chris@0
|
17 */
|
|
Chris@0
|
18 public function testNodeTitleXSS() {
|
|
Chris@0
|
19 // Prepare a user to do the stuff.
|
|
Chris@0
|
20 $web_user = $this->drupalCreateUser(['create page content', 'edit any page content']);
|
|
Chris@0
|
21 $this->drupalLogin($web_user);
|
|
Chris@0
|
22
|
|
Chris@0
|
23 $xss = '<script>alert("xss")</script>';
|
|
Chris@0
|
24 $title = $xss . $this->randomMachineName();
|
|
Chris@0
|
25 $edit = [];
|
|
Chris@0
|
26 $edit['title[0][value]'] = $title;
|
|
Chris@0
|
27
|
|
Chris@0
|
28 $this->drupalPostForm('node/add/page', $edit, t('Preview'));
|
|
Chris@0
|
29 $this->assertNoRaw($xss, 'Harmful tags are escaped when previewing a node.');
|
|
Chris@0
|
30
|
|
Chris@0
|
31 $settings = ['title' => $title];
|
|
Chris@0
|
32 $node = $this->drupalCreateNode($settings);
|
|
Chris@0
|
33
|
|
Chris@0
|
34 $this->drupalGet('node/' . $node->id());
|
|
Chris@0
|
35 // Titles should be escaped.
|
|
Chris@0
|
36 $this->assertRaw('<title>' . Html::escape($title) . ' | Drupal</title>', 'Title is displayed when viewing a node.');
|
|
Chris@0
|
37 $this->assertNoRaw($xss, 'Harmful tags are escaped when viewing a node.');
|
|
Chris@0
|
38
|
|
Chris@0
|
39 $this->drupalGet('node/' . $node->id() . '/edit');
|
|
Chris@0
|
40 $this->assertNoRaw($xss, 'Harmful tags are escaped when editing a node.');
|
|
Chris@0
|
41 }
|
|
Chris@0
|
42
|
|
Chris@0
|
43 }
|
