From 15fa2d85926f08228141f5b78cc5166b6d795c05 Mon Sep 17 00:00:00 2001
From: catch <6915-catch@users.noreply.drupalcode.org>
Date: Mon, 3 Mar 2025 08:51:52 +0000
Subject: [PATCH] Issue #3509244 by berdir: Remove TestXSSTitleBlock, update
 block XSS tests

---
 .../src/Plugin/Block/TestXSSTitleBlock.php    | 16 -------------
 .../tests/src/Functional/BlockUiTest.php      |  6 ++---
 .../tests/src/Functional/BlockXssTest.php     | 24 +++++--------------
 3 files changed, 9 insertions(+), 37 deletions(-)
 delete mode 100644 core/modules/block/tests/modules/block_test/src/Plugin/Block/TestXSSTitleBlock.php

diff --git a/core/modules/block/tests/modules/block_test/src/Plugin/Block/TestXSSTitleBlock.php b/core/modules/block/tests/modules/block_test/src/Plugin/Block/TestXSSTitleBlock.php
deleted file mode 100644
index 9e9d02dd3dca..000000000000
--- a/core/modules/block/tests/modules/block_test/src/Plugin/Block/TestXSSTitleBlock.php
+++ /dev/null
@@ -1,16 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace Drupal\block_test\Plugin\Block;
-
-/**
- * Provides a block to test XSS in title.
- *
- * @Block(
- *   id = "test_xss_title",
- *   admin_label = "<script>alert('XSS subject');</script>"
- * )
- */
-class TestXSSTitleBlock extends TestCacheBlock {
-}
diff --git a/core/modules/block/tests/src/Functional/BlockUiTest.php b/core/modules/block/tests/src/Functional/BlockUiTest.php
index 920bec6c874e..55f103a01168 100644
--- a/core/modules/block/tests/src/Functional/BlockUiTest.php
+++ b/core/modules/block/tests/src/Functional/BlockUiTest.php
@@ -335,12 +335,12 @@ public function testBlockPlacementIndicator(): void {
     // block placement indicator. Click the first 'Place block' link to bring up
     // the list of blocks to place in the first available region.
     $this->clickLink('Place block');
-    // Select the first available block, which is the 'test_xss_title' plugin,
-    // with a default machine name 'scriptalertxsssubjectscript' that is used
+    // Select the first available block, which is the 'test_block_instantiation'
+    // plugin, with a default machine name 'stark-displaymessage' that is used
     // for the 'block-placement' querystring parameter.
     $this->clickLink('Place block');
     $this->submitForm([], 'Save block');
-    $this->assertSession()->addressEquals('admin/structure/block/list/stark?block-placement=stark-scriptalertxsssubjectscript');
+    $this->assertSession()->addressEquals('admin/structure/block/list/stark?block-placement=stark-displaymessage');
 
     // Removing a block will remove the block placement indicator.
     $this->clickLink('Remove');
diff --git a/core/modules/block/tests/src/Functional/BlockXssTest.php b/core/modules/block/tests/src/Functional/BlockXssTest.php
index 1bd50dfa3736..9542fd4210c4 100644
--- a/core/modules/block/tests/src/Functional/BlockXssTest.php
+++ b/core/modules/block/tests/src/Functional/BlockXssTest.php
@@ -45,12 +45,14 @@ public function testNoUnexpectedEscaping(): void {
    * Tests XSS in title.
    */
   public function testXssInTitle(): void {
-    $this->container->get('module_installer')->install(['block_test']);
-    $this->drupalPlaceBlock('test_xss_title', ['label' => '<script>alert("XSS label");</script>']);
+    $this->drupalPlaceBlock('system_powered_by_block', [
+      'label' => '<script>alert("XSS label");</script>',
+      'label_display' => 'visible',
+    ]);
 
-    \Drupal::keyValue('block_test')->set('content', $this->randomMachineName());
     $this->drupalGet('');
     // Check that the block title was properly sanitized when rendered.
+    $this->assertSession()->assertEscaped('<script>alert("XSS label");</script>');
     $this->assertSession()->responseNotContains('<script>alert("XSS label");</script>');
 
     $this->drupalLogin($this->drupalCreateUser([
@@ -61,24 +63,10 @@ public function testXssInTitle(): void {
     $this->drupalGet('admin/structure/block/list/' . $default_theme);
     // Check that the block title was properly sanitized in Block Plugin UI
     // Admin page.
+    $this->assertSession()->assertEscaped('<script>alert("XSS label");</script>');
     $this->assertSession()->responseNotContains("<script>alert('XSS subject');</script>");
   }
 
-  /**
-   * Tests XSS in category.
-   */
-  public function testXssInCategory(): void {
-    $this->container->get('module_installer')->install(['block_test']);
-    $this->drupalPlaceBlock('test_xss_title');
-    $this->drupalLogin($this->drupalCreateUser([
-      'administer blocks',
-      'access administration pages',
-    ]));
-    $this->drupalGet(Url::fromRoute('block.admin_display'));
-    $this->clickLink('Place block');
-    $this->assertSession()->responseNotContains("<script>alert('XSS category');</script>");
-  }
-
   /**
    * Tests various modules that provide blocks for XSS.
    */
-- 
GitLab