XssTest.php 1.21 KB
Newer Older
1 2
<?php

3
namespace Drupal\Tests\views_ui\Functional;
4 5

/**
6 7
 * Tests the Xss vulnerability.
 *
8 9 10 11 12 13 14 15 16
 * @group views_ui
 */
class XssTest extends UITestBase {

  /**
   * Modules to enable.
   *
   * @var array
   */
17
  public static $modules = ['node', 'user', 'views_ui', 'views_ui_test'];
18 19 20

  public function testViewsUi() {
    $this->drupalGet('admin/structure/views/view/sa_contrib_2013_035');
21
    $this->assertEscaped('<marquee>test</marquee>', 'Field admin label is properly escaped.');
22 23

    $this->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area');
24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39
    $this->assertEscaped('{{ title }} == <marquee>test</marquee>', 'Token label is properly escaped.');
    $this->assertEscaped('{{ title_1 }} == <script>alert("XSS")</script>', 'Token label is properly escaped.');
  }

  /**
   * Checks the admin UI for double escaping.
   */
  public function testNoDoubleEscaping() {
    $this->drupalGet('admin/structure/views');
    $this->assertNoEscaped('&lt;');

    $this->drupalGet('admin/structure/views/view/sa_contrib_2013_035');
    $this->assertNoEscaped('&lt;');

    $this->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area');
    $this->assertNoEscaped('&lt;');
40 41 42
  }

}