Unverified Commit ec23e1c8 authored by alexpott's avatar alexpott

Issue #3142752 by sja112, mondrake, xjm, longwave:...

Issue #3142752 by sja112, mondrake, xjm, longwave: AssertLegacyTrait::assert(No)Escaped() in functional tests still have a message passed in

(cherry picked from commit 073679e7)
parent ad66016a
...@@ -320,7 +320,7 @@ public function testFilterAdmin() { ...@@ -320,7 +320,7 @@ public function testFilterAdmin() {
$edit['body[0][format]'] = $plain; $edit['body[0][format]'] = $plain;
$this->drupalPostForm('node/' . $node->id() . '/edit', $edit, t('Save')); $this->drupalPostForm('node/' . $node->id() . '/edit', $edit, t('Save'));
$this->drupalGet('node/' . $node->id()); $this->drupalGet('node/' . $node->id());
$this->assertEscaped($text, 'The "Plain text" text format escapes all HTML tags.'); $this->assertEscaped($text);
$this->config('filter.settings') $this->config('filter.settings')
->set('always_show_fallback_choice', FALSE) ->set('always_show_fallback_choice', FALSE)
->save(); ->save();
......
...@@ -547,7 +547,7 @@ public function testForumWithNewPost() { ...@@ -547,7 +547,7 @@ public function testForumWithNewPost() {
$this->assertSession()->statusCodeEquals(200); $this->assertSession()->statusCodeEquals(200);
// Verify there is no unintentional HTML tag escaping. // Verify there is no unintentional HTML tag escaping.
$this->assertNoEscaped('<', ''); $this->assertNoEscaped('<');
} }
/** /**
......
...@@ -137,10 +137,10 @@ protected function verifyHelp($response = 200) { ...@@ -137,10 +137,10 @@ protected function verifyHelp($response = 200) {
foreach ($admin_tasks as $task) { foreach ($admin_tasks as $task) {
$this->assertLink($task['title']); $this->assertLink($task['title']);
// Ensure there are no double escaped '&' or '<' characters. // Ensure there are no double escaped '&' or '<' characters.
$this->assertNoEscaped('&amp;', 'The help text does not have double escaped &amp;.'); $this->assertNoEscaped('&amp;');
$this->assertNoEscaped('&lt;', 'The help text does not have double escaped &lt;.'); $this->assertNoEscaped('&lt;');
// Ensure there are no escaped '<' characters. // Ensure there are no escaped '<' characters.
$this->assertNoEscaped('<', 'The help text does not have single escaped &lt;.'); $this->assertNoEscaped('<');
} }
// Ensure there are no double escaped '&' or '<' characters. // Ensure there are no double escaped '&' or '<' characters.
$this->assertNoEscaped('&amp;'); $this->assertNoEscaped('&amp;');
......
...@@ -200,7 +200,7 @@ public function testPagePreview() { ...@@ -200,7 +200,7 @@ public function testPagePreview() {
// Check that the preview is displaying the title, body and term. // Check that the preview is displaying the title, body and term.
$expected_title = $edit[$title_key] . ' | Drupal'; $expected_title = $edit[$title_key] . ' | Drupal';
$this->assertSession()->titleEquals($expected_title); $this->assertSession()->titleEquals($expected_title);
$this->assertEscaped($edit[$title_key], 'Title displayed and escaped.'); $this->assertEscaped($edit[$title_key]);
$this->assertText($edit[$body_key], 'Body displayed.'); $this->assertText($edit[$body_key], 'Body displayed.');
$this->assertText($edit[$term_key], 'Term displayed.'); $this->assertText($edit[$term_key], 'Term displayed.');
$this->assertLink(t('Back to content editing')); $this->assertLink(t('Back to content editing'));
...@@ -240,7 +240,7 @@ public function testPagePreview() { ...@@ -240,7 +240,7 @@ public function testPagePreview() {
// Return to page preview to check everything is as expected. // Return to page preview to check everything is as expected.
$this->drupalPostForm(NULL, [], t('Preview')); $this->drupalPostForm(NULL, [], t('Preview'));
$this->assertSession()->titleEquals($expected_title); $this->assertSession()->titleEquals($expected_title);
$this->assertEscaped($edit[$title_key], 'Title displayed and escaped.'); $this->assertEscaped($edit[$title_key]);
$this->assertText($edit[$body_key], 'Body displayed.'); $this->assertText($edit[$body_key], 'Body displayed.');
$this->assertText($edit[$term_key], 'Term displayed.'); $this->assertText($edit[$term_key], 'Term displayed.');
$this->assertLink(t('Back to content editing')); $this->assertLink(t('Back to content editing'));
......
...@@ -173,7 +173,7 @@ public function testSearchResultsComment() { ...@@ -173,7 +173,7 @@ public function testSearchResultsComment() {
// Verify that comment is rendered using proper format. // Verify that comment is rendered using proper format.
$this->assertText($comment_body, 'Comment body text found in search results.'); $this->assertText($comment_body, 'Comment body text found in search results.');
$this->assertNoRaw(t('n/a'), 'HTML in comment body is not hidden.'); $this->assertNoRaw(t('n/a'), 'HTML in comment body is not hidden.');
$this->assertNoEscaped($edit_comment['comment_body[0][value]'], 'HTML in comment body is not escaped.'); $this->assertNoEscaped($edit_comment['comment_body[0][value]']);
// Search for the evil script comment subject. // Search for the evil script comment subject.
$edit = [ $edit = [
......
...@@ -54,14 +54,17 @@ public function testBatchForm() { ...@@ -54,14 +54,17 @@ public function testBatchForm() {
// Batch 0: no operation. // Batch 0: no operation.
$edit = ['batch' => 'batch_0']; $edit = ['batch' => 'batch_0'];
$this->drupalPostForm('batch-test', $edit, 'Submit'); $this->drupalPostForm('batch-test', $edit, 'Submit');
$this->assertNoEscaped('<', 'No escaped markup is present.'); // If there is any escaped markup it will include at least an escaped '<'
// character, so assert on each page that there is no escaped '<' as a way
// of verifying that no markup is incorrectly escaped.
$this->assertNoEscaped('<');
$this->assertBatchMessages($this->_resultMessages('batch_0'), 'Batch with no operation performed successfully.'); $this->assertBatchMessages($this->_resultMessages('batch_0'), 'Batch with no operation performed successfully.');
$this->assertText('Redirection successful.', 'Redirection after batch execution is correct.'); $this->assertText('Redirection successful.', 'Redirection after batch execution is correct.');
// Batch 1: several simple operations. // Batch 1: several simple operations.
$edit = ['batch' => 'batch_1']; $edit = ['batch' => 'batch_1'];
$this->drupalPostForm('batch-test', $edit, 'Submit'); $this->drupalPostForm('batch-test', $edit, 'Submit');
$this->assertNoEscaped('<', 'No escaped markup is present.'); $this->assertNoEscaped('<');
$this->assertBatchMessages($this->_resultMessages('batch_1'), 'Batch with simple operations performed successfully.'); $this->assertBatchMessages($this->_resultMessages('batch_1'), 'Batch with simple operations performed successfully.');
$this->assertEqual(batch_test_stack(), $this->_resultStack('batch_1'), 'Execution order was correct.'); $this->assertEqual(batch_test_stack(), $this->_resultStack('batch_1'), 'Execution order was correct.');
$this->assertText('Redirection successful.', 'Redirection after batch execution is correct.'); $this->assertText('Redirection successful.', 'Redirection after batch execution is correct.');
...@@ -69,7 +72,7 @@ public function testBatchForm() { ...@@ -69,7 +72,7 @@ public function testBatchForm() {
// Batch 2: one multistep operation. // Batch 2: one multistep operation.
$edit = ['batch' => 'batch_2']; $edit = ['batch' => 'batch_2'];
$this->drupalPostForm('batch-test', $edit, 'Submit'); $this->drupalPostForm('batch-test', $edit, 'Submit');
$this->assertNoEscaped('<', 'No escaped markup is present.'); $this->assertNoEscaped('<');
$this->assertBatchMessages($this->_resultMessages('batch_2'), 'Batch with multistep operation performed successfully.'); $this->assertBatchMessages($this->_resultMessages('batch_2'), 'Batch with multistep operation performed successfully.');
$this->assertEqual(batch_test_stack(), $this->_resultStack('batch_2'), 'Execution order was correct.'); $this->assertEqual(batch_test_stack(), $this->_resultStack('batch_2'), 'Execution order was correct.');
$this->assertText('Redirection successful.', 'Redirection after batch execution is correct.'); $this->assertText('Redirection successful.', 'Redirection after batch execution is correct.');
...@@ -77,7 +80,7 @@ public function testBatchForm() { ...@@ -77,7 +80,7 @@ public function testBatchForm() {
// Batch 3: simple + multistep combined. // Batch 3: simple + multistep combined.
$edit = ['batch' => 'batch_3']; $edit = ['batch' => 'batch_3'];
$this->drupalPostForm('batch-test', $edit, 'Submit'); $this->drupalPostForm('batch-test', $edit, 'Submit');
$this->assertNoEscaped('<', 'No escaped markup is present.'); $this->assertNoEscaped('<');
$this->assertBatchMessages($this->_resultMessages('batch_3'), 'Batch with simple and multistep operations performed successfully.'); $this->assertBatchMessages($this->_resultMessages('batch_3'), 'Batch with simple and multistep operations performed successfully.');
$this->assertEqual(batch_test_stack(), $this->_resultStack('batch_3'), 'Execution order was correct.'); $this->assertEqual(batch_test_stack(), $this->_resultStack('batch_3'), 'Execution order was correct.');
$this->assertText('Redirection successful.', 'Redirection after batch execution is correct.'); $this->assertText('Redirection successful.', 'Redirection after batch execution is correct.');
...@@ -85,7 +88,7 @@ public function testBatchForm() { ...@@ -85,7 +88,7 @@ public function testBatchForm() {
// Batch 4: nested batch. // Batch 4: nested batch.
$edit = ['batch' => 'batch_4']; $edit = ['batch' => 'batch_4'];
$this->drupalPostForm('batch-test', $edit, 'Submit'); $this->drupalPostForm('batch-test', $edit, 'Submit');
$this->assertNoEscaped('<', 'No escaped markup is present.'); $this->assertNoEscaped('<');
$this->assertBatchMessages($this->_resultMessages('batch_4'), 'Nested batch performed successfully.'); $this->assertBatchMessages($this->_resultMessages('batch_4'), 'Nested batch performed successfully.');
$this->assertEqual(batch_test_stack(), $this->_resultStack('batch_4'), 'Execution order was correct.'); $this->assertEqual(batch_test_stack(), $this->_resultStack('batch_4'), 'Execution order was correct.');
$this->assertText('Redirection successful.', 'Redirection after batch execution is correct.'); $this->assertText('Redirection successful.', 'Redirection after batch execution is correct.');
...@@ -121,7 +124,7 @@ public function testBatchForm() { ...@@ -121,7 +124,7 @@ public function testBatchForm() {
*/ */
public function testBatchFormMultistep() { public function testBatchFormMultistep() {
$this->drupalGet('batch-test/multistep'); $this->drupalGet('batch-test/multistep');
$this->assertNoEscaped('<', 'No escaped markup is present.'); $this->assertNoEscaped('<');
$this->assertText('step 1', 'Form is displayed in step 1.'); $this->assertText('step 1', 'Form is displayed in step 1.');
// First step triggers batch 1. // First step triggers batch 1.
...@@ -129,14 +132,14 @@ public function testBatchFormMultistep() { ...@@ -129,14 +132,14 @@ public function testBatchFormMultistep() {
$this->assertBatchMessages($this->_resultMessages('batch_1'), 'Batch for step 1 performed successfully.'); $this->assertBatchMessages($this->_resultMessages('batch_1'), 'Batch for step 1 performed successfully.');
$this->assertEqual(batch_test_stack(), $this->_resultStack('batch_1'), 'Execution order was correct.'); $this->assertEqual(batch_test_stack(), $this->_resultStack('batch_1'), 'Execution order was correct.');
$this->assertText('step 2', 'Form is displayed in step 2.'); $this->assertText('step 2', 'Form is displayed in step 2.');
$this->assertNoEscaped('<', 'No escaped markup is present.'); $this->assertNoEscaped('<');
// Second step triggers batch 2. // Second step triggers batch 2.
$this->drupalPostForm(NULL, [], 'Submit'); $this->drupalPostForm(NULL, [], 'Submit');
$this->assertBatchMessages($this->_resultMessages('batch_2'), 'Batch for step 2 performed successfully.'); $this->assertBatchMessages($this->_resultMessages('batch_2'), 'Batch for step 2 performed successfully.');
$this->assertEqual(batch_test_stack(), $this->_resultStack('batch_2'), 'Execution order was correct.'); $this->assertEqual(batch_test_stack(), $this->_resultStack('batch_2'), 'Execution order was correct.');
$this->assertText('Redirection successful.', 'Redirection after batch execution is correct.'); $this->assertText('Redirection successful.', 'Redirection after batch execution is correct.');
$this->assertNoEscaped('<', 'No escaped markup is present.'); $this->assertNoEscaped('<');
// Extra query arguments will trigger logic that will add them to the // Extra query arguments will trigger logic that will add them to the
// redirect URL. Make sure they are persisted. // redirect URL. Make sure they are persisted.
......
...@@ -286,7 +286,8 @@ public function testBreadCrumbs() { ...@@ -286,7 +286,8 @@ public function testBreadCrumbs() {
$link_path => $link->getTitle(), $link_path => $link->getTitle(),
]; ];
$this->assertBreadcrumb($link_path, $trail, $term->getName(), $tree); $this->assertBreadcrumb($link_path, $trail, $term->getName(), $tree);
$this->assertEscaped($parent->getTitle(), 'Tagged node found.'); // Ensure that the tagged node is found.
$this->assertEscaped($parent->getTitle());
// Additionally make sure that this link appears only once; i.e., the // Additionally make sure that this link appears only once; i.e., the
// untranslated menu links automatically generated from menu router items // untranslated menu links automatically generated from menu router items
......
...@@ -68,7 +68,7 @@ protected function doTestHookMenuIntegration() { ...@@ -68,7 +68,7 @@ protected function doTestHookMenuIntegration() {
$this->assertLink('Local task A'); $this->assertLink('Local task A');
$this->assertLink('Local task B'); $this->assertLink('Local task B');
$this->assertNoLink('Local task C'); $this->assertNoLink('Local task C');
$this->assertEscaped("<script>alert('Welcome to the jungle!')</script>", ENT_QUOTES, 'UTF-8'); $this->assertEscaped("<script>alert('Welcome to the jungle!')</script>");
// Confirm correct local task href. // Confirm correct local task href.
$this->assertLinkByHref(Url::fromRoute('menu_test.router_test1', ['bar' => $machine_name])->toString()); $this->assertLinkByHref(Url::fromRoute('menu_test.router_test1', ['bar' => $machine_name])->toString());
$this->assertLinkByHref(Url::fromRoute('menu_test.router_test2', ['bar' => $machine_name])->toString()); $this->assertLinkByHref(Url::fromRoute('menu_test.router_test2', ['bar' => $machine_name])->toString());
......
...@@ -159,7 +159,8 @@ public function testDateFormatConfiguration() { ...@@ -159,7 +159,8 @@ public function testDateFormatConfiguration() {
$date_format->save(); $date_format->save();
$this->drupalGet(Url::fromRoute('entity.date_format.collection')); $this->drupalGet(Url::fromRoute('entity.date_format.collection'));
$this->assertEscaped("<script>alert('XSS');</script>", 'The date format was properly escaped'); // Ensure that the date format is properly escaped.
$this->assertEscaped("<script>alert('XSS');</script>");
// Add a new date format with HTML in it. // Add a new date format with HTML in it.
$date_format_id = strtolower($this->randomMachineName(8)); $date_format_id = strtolower($this->randomMachineName(8));
......
...@@ -601,7 +601,7 @@ public function testTermBreadcrumbs() { ...@@ -601,7 +601,7 @@ public function testTermBreadcrumbs() {
$this->assertCount(2, $breadcrumbs, 'The breadcrumbs are present on the page.'); $this->assertCount(2, $breadcrumbs, 'The breadcrumbs are present on the page.');
$this->assertIdentical($breadcrumbs[0]->getText(), 'Home', 'First breadcrumb text is Home'); $this->assertIdentical($breadcrumbs[0]->getText(), 'Home', 'First breadcrumb text is Home');
$this->assertIdentical($breadcrumbs[1]->getText(), $term->label(), 'Second breadcrumb text is term name on term edit page.'); $this->assertIdentical($breadcrumbs[1]->getText(), $term->label(), 'Second breadcrumb text is term name on term edit page.');
$this->assertEscaped($breadcrumbs[1]->getText(), 'breadcrumbs displayed and escaped.'); $this->assertEscaped($breadcrumbs[1]->getText());
// Check the breadcrumb on the term delete page. // Check the breadcrumb on the term delete page.
$this->drupalGet('taxonomy/term/' . $term->id() . '/delete'); $this->drupalGet('taxonomy/term/' . $term->id() . '/delete');
...@@ -609,7 +609,7 @@ public function testTermBreadcrumbs() { ...@@ -609,7 +609,7 @@ public function testTermBreadcrumbs() {
$this->assertCount(2, $breadcrumbs, 'The breadcrumbs are present on the page.'); $this->assertCount(2, $breadcrumbs, 'The breadcrumbs are present on the page.');
$this->assertIdentical($breadcrumbs[0]->getText(), 'Home', 'First breadcrumb text is Home'); $this->assertIdentical($breadcrumbs[0]->getText(), 'Home', 'First breadcrumb text is Home');
$this->assertIdentical($breadcrumbs[1]->getText(), $term->label(), 'Second breadcrumb text is term name on term delete page.'); $this->assertIdentical($breadcrumbs[1]->getText(), $term->label(), 'Second breadcrumb text is term name on term delete page.');
$this->assertEscaped($breadcrumbs[1]->getText(), 'breadcrumbs displayed and escaped.'); $this->assertEscaped($breadcrumbs[1]->getText());
} }
} }
...@@ -23,11 +23,13 @@ class XssTest extends UITestBase { ...@@ -23,11 +23,13 @@ class XssTest extends UITestBase {
public function testViewsUi() { public function testViewsUi() {
$this->drupalGet('admin/structure/views/view/sa_contrib_2013_035'); $this->drupalGet('admin/structure/views/view/sa_contrib_2013_035');
$this->assertEscaped('<marquee>test</marquee>', 'Field admin label is properly escaped.'); // Verify that the field admin label is properly escaped.
$this->assertEscaped('<marquee>test</marquee>');
$this->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area'); $this->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area');
$this->assertEscaped('{{ title }} == <marquee>test</marquee>', 'Token label is properly escaped.'); // Verify that the token label is properly escaped.
$this->assertEscaped('{{ title_1 }} == <script>alert("XSS")</script>', 'Token label is properly escaped.'); $this->assertEscaped('{{ title }} == <marquee>test</marquee>');
$this->assertEscaped('{{ title_1 }} == <script>alert("XSS")</script>');
} }
/** /**
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment