Chris@0: assertTrue($result); Chris@0: Chris@0: // Check a translatable string which includes trustable HTML. Chris@0: $string = 'Hello world!'; Chris@0: $result = locale_string_is_safe($string); Chris@0: $this->assertTrue($result); Chris@0: Chris@0: // Check an untranslatable string which includes untrustable HTML (according Chris@0: // to the locale_string_is_safe() function definition). Chris@0: $string = 'Hello world

!'; Chris@0: $result = locale_string_is_safe($string); Chris@0: $this->assertFalse($result); Chris@0: Chris@0: // Check a translatable string which includes a token in an href attribute. Chris@0: $string = 'Hi user'; Chris@0: $result = locale_string_is_safe($string); Chris@0: $this->assertTrue($result); Chris@0: } Chris@0: Chris@0: /** Chris@0: * Tests if a translated and tokenized string is properly escaped by Twig. Chris@0: * Chris@0: * In each assert* call we add a new line at the expected result to match the Chris@0: * newline at the end of the template file. Chris@0: */ Chris@0: public function testLocalizedTokenizedString() { Chris@0: $tests_to_do = [ Chris@0: 1 => [ Chris@0: 'original' => 'Go to the frontpage', Chris@0: 'replaced' => 'Go to the <a href="javascript:alert('Mooooh!');">frontpage</a>', Chris@0: ], Chris@0: 2 => [ Chris@0: 'original' => 'Hello [locale_test:security_test2]!', Chris@0: 'replaced' => 'Hello <strong><script>alert('Mooooh!');</script></strong>!', Chris@0: ], Chris@0: ]; Chris@0: Chris@0: foreach ($tests_to_do as $i => $test) { Chris@0: $original_string = $test['original']; Chris@0: $rendered_original_string = \Drupal::theme()->render('locale_test_tokenized', ['content' => $original_string]); Chris@0: // Twig assumes that strings are unsafe so it escapes them, and so the Chris@0: // original and the rendered version should be different. Chris@0: $this->assertNotEqual( Chris@0: $rendered_original_string, Chris@0: $original_string . "\n", Chris@0: 'Security test ' . $i . ' before translation' Chris@0: ); Chris@0: Chris@0: // Pass the original string to the t() function to get it marked as safe. Chris@0: $safe_string = t($original_string); Chris@0: $rendered_safe_string = \Drupal::theme()->render('locale_test_tokenized', ['content' => $safe_string]); Chris@0: // t() function always marks the string as safe so it won't be escaped, Chris@0: // and should be the same as the original. Chris@0: $this->assertEqual( Chris@0: $rendered_safe_string, Chris@0: $original_string . "\n", Chris@0: 'Security test ' . $i . ' after translation before token replacement' Chris@0: ); Chris@0: Chris@0: // Replace tokens in the safe string to inject it with dangerous content. Chris@0: // @see locale_test_tokens(). Chris@0: $unsafe_string = \Drupal::token()->replace($safe_string); Chris@0: $rendered_unsafe_string = \Drupal::theme()->render('locale_test_tokenized', ['content' => $unsafe_string]); Chris@0: // Token replacement changes the string so it is not marked as safe Chris@0: // anymore. Check it is escaped the way we expect. Chris@0: $this->assertEqual( Chris@0: $rendered_unsafe_string, Chris@0: $test['replaced'] . "\n", Chris@0: 'Security test ' . $i . ' after translation after token replacement' Chris@0: ); Chris@0: } Chris@0: } Chris@0: Chris@0: }