NodeTitleXSSTest.php 1.26 KB
Newer Older
1 2 3 4
<?php

namespace Drupal\node\Tests;

5 6
use Drupal\Component\Utility\Html;

7
/**
8 9 10 11
 * Create a node with dangerous tags in its title and test that they are
 * escaped.
 *
 * @group node
12
 */
13
class NodeTitleXSSTest extends NodeTestBase {
14 15 16
  /**
   * Tests XSS functionality with a node entity.
   */
17 18 19 20 21 22
  function testNodeTitleXSS() {
    // Prepare a user to do the stuff.
    $web_user = $this->drupalCreateUser(array('create page content', 'edit any page content'));
    $this->drupalLogin($web_user);

    $xss = '<script>alert("xss")</script>';
23
    $title = $xss . $this->randomMachineName();
24 25
    $edit = array();
    $edit['title[0][value]'] = $title;
26

27
    $this->drupalPostForm('node/add/page', $edit, t('Preview'));
28
    $this->assertNoRaw($xss, 'Harmful tags are escaped when previewing a node.');
29 30 31 32

    $settings = array('title' => $title);
    $node = $this->drupalCreateNode($settings);

33
    $this->drupalGet('node/' . $node->id());
34 35
    // Titles should be escaped.
    $this->assertTitle(Html::escape($title) . ' | Drupal', 'Title is displayed when viewing a node.');
36
    $this->assertNoRaw($xss, 'Harmful tags are escaped when viewing a node.');
37

38
    $this->drupalGet('node/' . $node->id() . '/edit');
39
    $this->assertNoRaw($xss, 'Harmful tags are escaped when editing a node.');
40 41
  }
}