Chris@0: drupalLogin($this->drupalCreateUser(['administer blocks', 'access administration pages'])); Chris@0: $this->drupalGet(Url::fromRoute('block.admin_display')); Chris@0: $this->clickLink('Place block'); Chris@0: $this->assertNoEscaped('<'); Chris@0: } Chris@0: Chris@0: /** Chris@0: * Tests XSS in title. Chris@0: */ Chris@0: public function testXssInTitle() { Chris@0: $this->container->get('module_installer')->install(['block_test']); Chris@0: $this->drupalPlaceBlock('test_xss_title', ['label' => '']); Chris@0: Chris@0: \Drupal::state()->set('block_test.content', $this->randomMachineName()); Chris@0: $this->drupalGet(''); Chris@0: $this->assertNoRaw('', 'The block title was properly sanitized when rendered.'); Chris@0: Chris@0: $this->drupalLogin($this->drupalCreateUser(['administer blocks', 'access administration pages'])); Chris@0: $default_theme = $this->config('system.theme')->get('default'); Chris@0: $this->drupalGet('admin/structure/block/list/' . $default_theme); Chris@0: $this->assertNoRaw("", 'The block title was properly sanitized in Block Plugin UI Admin page.'); Chris@0: } Chris@0: Chris@0: /** Chris@0: * Tests XSS in category. Chris@0: */ Chris@0: public function testXssInCategory() { Chris@0: $this->container->get('module_installer')->install(['block_test']); Chris@0: $this->drupalPlaceBlock('test_xss_title'); Chris@0: $this->drupalLogin($this->drupalCreateUser(['administer blocks', 'access administration pages'])); Chris@0: $this->drupalGet(Url::fromRoute('block.admin_display')); Chris@0: $this->clickLink('Place block'); Chris@0: $this->assertNoRaw(""); Chris@0: } Chris@0: Chris@0: /** Chris@0: * Tests various modules that provide blocks for XSS. Chris@0: */ Chris@0: public function testBlockXss() { Chris@0: $this->drupalLogin($this->rootUser); Chris@0: Chris@0: $this->doViewTest(); Chris@0: $this->doMenuTest(); Chris@0: $this->doBlockContentTest(); Chris@0: Chris@0: $this->drupalGet(Url::fromRoute('block.admin_display')); Chris@0: $this->clickLink('Place block'); Chris@0: $this->assertNoRaw('&lt;', 'The page does not have double escaped HTML tags.'); Chris@0: } Chris@0: Chris@0: /** Chris@0: * Tests XSS coming from View block labels. Chris@0: */ Chris@0: protected function doViewTest() { Chris@0: // Create a View without a custom label for its block Display. The Chris@0: // admin_label of the block then becomes just the View's label. Chris@0: $view = View::create([ Chris@0: 'id' => $this->randomMachineName(), Chris@0: 'label' => '', Chris@0: ]); Chris@0: $view->addDisplay('block'); Chris@0: $view->save(); Chris@0: Chris@0: // Create a View with a custom label for its block Display. The Chris@0: // admin_label of the block then becomes the View's label combined with Chris@0: // the Display's label. Chris@0: $view = View::create([ Chris@0: 'id' => $this->randomMachineName(), Chris@0: 'label' => '', Chris@0: ]); Chris@0: $view->addDisplay('block', 'Fish & chips'); Chris@0: $view->save(); Chris@0: Chris@0: $this->drupalGet(Url::fromRoute('block.admin_display')); Chris@0: $this->clickLink('Place block'); Chris@0: Chris@0: // \Drupal\views\Plugin\Derivative\ViewsBlock::getDerivativeDefinitions() Chris@0: // has a different code path for an admin label based only on the View Chris@0: // label versus one based on both the View label and the Display label. Chris@0: // Ensure that this test is covering both code paths by asserting the Chris@0: // absence of a ":" for the first View and the presence of a ":" for the Chris@0: // second one. Note that the second assertion is redundant with the one Chris@0: // further down which also checks for the Display label, but is included Chris@0: // here for clarity. Chris@0: $this->assertNoEscaped(':'); Chris@0: $this->assertEscaped(':'); Chris@0: Chris@0: // Assert that the blocks have their admin labels escaped and Chris@0: // don't appear anywhere unescaped. Chris@0: $this->assertEscaped(''); Chris@0: $this->assertNoRaw(''); Chris@0: $this->assertEscaped(': Fish & chips'); Chris@0: $this->assertNoRaw(''); Chris@0: $this->assertNoRaw('Fish & chips'); Chris@0: Chris@0: // Assert the Display label doesn't appear anywhere double escaped. Chris@0: $this->assertNoRaw('Fish & chips'); Chris@0: $this->assertNoRaw('Fish &amp; chips'); Chris@0: } Chris@0: Chris@0: /** Chris@0: * Tests XSS coming from Menu block labels. Chris@0: */ Chris@0: protected function doMenuTest() { Chris@0: Menu::create([ Chris@0: 'id' => $this->randomMachineName(), Chris@0: 'label' => '', Chris@0: ])->save(); Chris@0: Chris@0: $this->drupalGet(Url::fromRoute('block.admin_display')); Chris@0: $this->clickLink('Place block'); Chris@0: Chris@0: $this->assertEscaped(''); Chris@0: $this->assertNoRaw(''); Chris@0: } Chris@0: Chris@0: /** Chris@0: * Tests XSS coming from Block Content block info. Chris@0: */ Chris@0: protected function doBlockContentTest() { Chris@0: BlockContentType::create([ Chris@0: 'id' => 'basic', Chris@0: 'label' => 'basic', Chris@0: 'revision' => TRUE, Chris@0: ])->save(); Chris@0: BlockContent::create([ Chris@0: 'type' => 'basic', Chris@0: 'info' => '', Chris@0: ])->save(); Chris@0: Chris@0: $this->drupalGet(Url::fromRoute('block.admin_display')); Chris@0: $this->clickLink('Place block'); Chris@0: Chris@0: $this->assertEscaped(''); Chris@0: $this->assertNoRaw(''); Chris@0: } Chris@0: Chris@0: }