EntityFilteringThemeTest.php 3.19 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97
<?php

/**
 * @file
 * Contains Drupal\system\Tests\Theme\EntityFilteringThemeTest.
 */

namespace Drupal\system\Tests\Theme;

use Drupal\simpletest\WebTestBase;

/**
 * Tests filtering for XSS in rendered entity templates in all themes.
 */
class EntityFilteringThemeTest extends WebTestBase {

  /**
   * Use the standard profile.
   *
   * We test entity theming with the default node, user, comment, and taxonomy
   * configurations at several paths in the standard profile.
   *
   * @var string
   */
  protected $profile = 'standard';

  /**
   * A list of all available themes.
   *
   * @var array
   */
  protected $themes;

  /**
   * A test user.
   *
   * @var Drupal\user\User
   */
  protected $user;


  /**
   * A test node.
   *
   * @var Drupal\node\Node
   */
  protected $node;


  /**
   * A test taxonomy term.
   *
   * @var Drupal\taxonomy\Term
   */
  protected $term;


  /**
   * A test comment.
   *
   * @var Drupal\comment\Comment
   */
  protected $comment;

  /**
   * A string containing markup and JS.
   *
   * @string
   */
  protected $xss_label = "string with <em>HTML</em> and <script>alert('JS');</script>";

  public static function getInfo() {
    return array(
      'name' => 'Entity filtering theme test',
      'description' => 'Tests themed output for each entity type in all available themes to ensure entity labels are filtered for XSS.',
      'group' => 'Theme',
    );
  }

  function setUp() {
    parent::setUp();

    // Enable all available themes for testing.
    $this->themes = array_keys(list_themes());
    theme_enable($this->themes);

    // Create a test user.
    $this->user = $this->drupalCreateUser(array('access content', 'access user profiles'));
    $this->user->name = $this->xss_label;
    $this->user->save();
    $this->drupalLogin($this->user);

    // Create a test term.
    $this->term = entity_create('taxonomy_term', array(
      'name' => $this->xss_label,
      'vid' => 1,
    ));
98
    $this->term->save();
99 100 101 102 103 104

    // Create a test node tagged with the test term.
    $this->node = $this->drupalCreateNode(array(
      'title' => $this->xss_label,
      'type' => 'article',
      'promote' => NODE_PROMOTED,
105
      'field_tags' => array(array('tid' => $this->term->id())),
106 107 108 109 110 111 112 113
    ));

    // Create a test comment on the test node.
    $this->comment = entity_create('comment', array(
      'nid' => $this->node->nid,
      'node_type' => $this->node->type,
      'status' => COMMENT_PUBLISHED,
      'subject' => $this->xss_label,
114
      'comment_body' => array($this->randomName()),
115 116 117 118 119 120 121 122 123 124 125 126 127
    ));
    comment_save($this->comment);
  }

  /**
   * Checks each themed entity for XSS filtering in available themes.
   */
  function testThemedEntity() {
    // Check paths where various view modes of the entities are rendered.
    $paths = array(
      'user',
      'node',
      'node/' . $this->node->nid,
128
      'taxonomy/term/' . $this->term->id(),
129 130 131 132
    );

    // Check each path in all available themes.
    foreach ($this->themes as $theme) {
133 134 135
      config('system.theme')
        ->set('default', $theme)
        ->save();
136 137 138 139 140 141 142 143 144
      foreach ($paths as $path) {
        $this->drupalGet($path);
        $this->assertResponse(200);
        $this->assertNoRaw($this->xss_label);
      }
    }
  }

}