Chris@0: <?php
Chris@0: 
Chris@0: namespace Drupal\Tests\node\Functional;
Chris@0: 
Chris@0: use Drupal\Component\Utility\Html;
Chris@0: 
Chris@0: /**
Chris@0:  * Create a node with dangerous tags in its title and test that they are
Chris@0:  * escaped.
Chris@0:  *
Chris@0:  * @group node
Chris@0:  */
Chris@0: class NodeTitleXSSTest extends NodeTestBase {
Chris@0: 
Chris@0:   /**
Chris@0:    * Tests XSS functionality with a node entity.
Chris@0:    */
Chris@0:   public function testNodeTitleXSS() {
Chris@0:     // Prepare a user to do the stuff.
Chris@0:     $web_user = $this->drupalCreateUser(['create page content', 'edit any page content']);
Chris@0:     $this->drupalLogin($web_user);
Chris@0: 
Chris@0:     $xss = '<script>alert("xss")</script>';
Chris@0:     $title = $xss . $this->randomMachineName();
Chris@0:     $edit = [];
Chris@0:     $edit['title[0][value]'] = $title;
Chris@0: 
Chris@0:     $this->drupalPostForm('node/add/page', $edit, t('Preview'));
Chris@0:     $this->assertNoRaw($xss, 'Harmful tags are escaped when previewing a node.');
Chris@0: 
Chris@0:     $settings = ['title' => $title];
Chris@0:     $node = $this->drupalCreateNode($settings);
Chris@0: 
Chris@0:     $this->drupalGet('node/' . $node->id());
Chris@0:     // Titles should be escaped.
Chris@0:     $this->assertRaw('<title>' . Html::escape($title) . ' | Drupal</title>', 'Title is displayed when viewing a node.');
Chris@0:     $this->assertNoRaw($xss, 'Harmful tags are escaped when viewing a node.');
Chris@0: 
Chris@0:     $this->drupalGet('node/' . $node->id() . '/edit');
Chris@0:     $this->assertNoRaw($xss, 'Harmful tags are escaped when editing a node.');
Chris@0:   }
Chris@0: 
Chris@0: }