Mercurial > hg > isophonics-drupal-site

comparison core/modules/locale/tests/src/Kernel/LocaleStringIsSafeTest.php @ 0:4c8ae668cc8c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Initial import (non-working)
author Chris Cannam
date Wed, 29 Nov 2017 16:09:58 +0000
parents
children
comparison
equal deleted inserted replaced
-1:000000000000 0:4c8ae668cc8c
1 <?php
2
3 namespace Drupal\Tests\locale\Kernel;
4
5 use Drupal\KernelTests\KernelTestBase;
6
7 /**
8 * Tests locale translation safe string handling.
9 *
10 * @group locale
11 */
12 class LocaleStringIsSafeTest extends KernelTestBase {
13
14 /**
15 * Modules to enable.
16 *
17 * @var array
18 */
19 public static $modules = ['locale', 'locale_test'];
20
21 /**
22 * Tests for locale_string_is_safe().
23 */
24 public function testLocaleStringIsSafe() {
25 // Check a translatable string without HTML.
26 $string = 'Hello world!';
27 $result = locale_string_is_safe($string);
28 $this->assertTrue($result);
29
30 // Check a translatable string which includes trustable HTML.
31 $string = 'Hello <strong>world</strong>!';
32 $result = locale_string_is_safe($string);
33 $this->assertTrue($result);
34
35 // Check an untranslatable string which includes untrustable HTML (according
36 // to the locale_string_is_safe() function definition).
37 $string = 'Hello <img src="world.png" alt="world" />!';
38 $result = locale_string_is_safe($string);
39 $this->assertFalse($result);
40
41 // Check a translatable string which includes a token in an href attribute.
42 $string = 'Hi <a href="[current-user:url]">user</a>';
43 $result = locale_string_is_safe($string);
44 $this->assertTrue($result);
45 }
46
47 /**
48 * Tests if a translated and tokenized string is properly escaped by Twig.
49 *
50 * In each assert* call we add a new line at the expected result to match the
51 * newline at the end of the template file.
52 */
53 public function testLocalizedTokenizedString() {
54 $tests_to_do = [
55 1 => [
56 'original' => 'Go to the <a href="[locale_test:security_test1]">frontpage</a>',
57 'replaced' => 'Go to the &lt;a href=&quot;javascript:alert(&amp;#039;Mooooh!&amp;#039;);&quot;&gt;frontpage&lt;/a&gt;',
58 ],
59 2 => [
60 'original' => 'Hello <strong>[locale_test:security_test2]</strong>!',
61 'replaced' => 'Hello &lt;strong&gt;&amp;lt;script&amp;gt;alert(&amp;#039;Mooooh!&amp;#039;);&amp;lt;/script&amp;gt;&lt;/strong&gt;!',
62 ],
63 ];
64
65 foreach ($tests_to_do as $i => $test) {
66 $original_string = $test['original'];
67 $rendered_original_string = \Drupal::theme()->render('locale_test_tokenized', ['content' => $original_string]);
68 // Twig assumes that strings are unsafe so it escapes them, and so the
69 // original and the rendered version should be different.
70 $this->assertNotEqual(
71 $rendered_original_string,
72 $original_string . "\n",
73 'Security test ' . $i . ' before translation'
74 );
75
76 // Pass the original string to the t() function to get it marked as safe.
77 $safe_string = t($original_string);
78 $rendered_safe_string = \Drupal::theme()->render('locale_test_tokenized', ['content' => $safe_string]);
79 // t() function always marks the string as safe so it won't be escaped,
80 // and should be the same as the original.
81 $this->assertEqual(
82 $rendered_safe_string,
83 $original_string . "\n",
84 'Security test ' . $i . ' after translation before token replacement'
85 );
86
87 // Replace tokens in the safe string to inject it with dangerous content.
88 // @see locale_test_tokens().
89 $unsafe_string = \Drupal::token()->replace($safe_string);
90 $rendered_unsafe_string = \Drupal::theme()->render('locale_test_tokenized', ['content' => $unsafe_string]);
91 // Token replacement changes the string so it is not marked as safe
92 // anymore. Check it is escaped the way we expect.
93 $this->assertEqual(
94 $rendered_unsafe_string,
95 $test['replaced'] . "\n",
96 'Security test ' . $i . ' after translation after token replacement'
97 );
98 }
99 }
100
101 }