FilterSecurityTest.php 3.39 KB
Newer Older
1 2 3 4
<?php

/**
 * @file
5
 * Contains \Drupal\filter\Tests\FilterSecurityTest.
6 7 8 9 10
 */

namespace Drupal\filter\Tests;

use Drupal\simpletest\WebTestBase;
11
use Drupal\filter\Plugin\FilterInterface;
12
use Drupal\user\RoleInterface;
13 14

/**
15 16 17 18 19
 * Tests the behavior of check_markup() when a filter or text format vanishes,
 * or when check_markup() is called in such a way that it is instructed to skip
 * all filters of the "FilterInterface::TYPE_HTML_RESTRICTOR" type.
 *
 * @group filter
20 21
 */
class FilterSecurityTest extends WebTestBase {
22 23 24 25 26 27

  /**
   * Modules to enable.
   *
   * @var array
   */
28
  public static $modules = array('node', 'filter_test');
29

30 31 32
  /**
   * A user with administrative permissions.
   *
33
   * @var \Drupal\user\UserInterface
34
   */
35
  protected $adminUser;
36

37
  protected function setUp() {
38
    parent::setUp();
39 40 41 42

    // Create Basic page node type.
    $this->drupalCreateContentType(array('type' => 'page', 'name' => 'Basic page'));

43 44
    /** @var \Drupal\filter\Entity\FilterFormat $filtered_html_format */
    $filtered_html_format = entity_load('filter_format', 'filtered_html');
45
    $filtered_html_permission = $filtered_html_format->getPermissionName();
46
    user_role_grant_permissions(RoleInterface::ANONYMOUS_ID, array($filtered_html_permission));
47

48 49
    $this->adminUser = $this->drupalCreateUser(array('administer modules', 'administer filters', 'administer site configuration'));
    $this->drupalLogin($this->adminUser);
50 51 52
  }

  /**
53 54 55 56
   * Tests removal of filtered content when an active filter is disabled.
   *
   * Tests that filtered content is emptied when an actively used filter module
   * is disabled.
57 58 59 60
   */
  function testDisableFilterModule() {
    // Create a new node.
    $node = $this->drupalCreateNode(array('promote' => 1));
61 62
    $body_raw = $node->body->value;
    $format_id = $node->body->format;
63
    $this->drupalGet('node/' . $node->id());
64
    $this->assertText($body_raw, 'Node body found.');
65 66 67 68 69

    // Enable the filter_test_replace filter.
    $edit = array(
      'filters[filter_test_replace][status]' => 1,
    );
70
    $this->drupalPostForm('admin/config/content/formats/manage/' . $format_id, $edit, t('Save configuration'));
71 72

    // Verify that filter_test_replace filter replaced the content.
73
    $this->drupalGet('node/' . $node->id());
74 75
    $this->assertNoText($body_raw, 'Node body not found.');
    $this->assertText('Filter: Testing filter', 'Testing filter output found.');
76 77

    // Disable the text format entirely.
78
    $this->drupalPostForm('admin/config/content/formats/manage/' . $format_id . '/disable', array(), t('Disable'));
79 80

    // Verify that the content is empty, because the text format does not exist.
81
    $this->drupalGet('node/' . $node->id());
82
    $this->assertNoText($body_raw, 'Node body not found.');
83
  }
84 85 86 87 88

  /**
   * Tests that security filters are enforced even when marked to be skipped.
   */
  function testSkipSecurityFilters() {
89 90
    $text = "Text with some disallowed tags: <script />, <p><object>unicorn</object></p>, <i><table></i>.";
    $expected_filtered_text = "Text with some disallowed tags: , <p>unicorn</p>, .";
91 92
    $this->assertEqual(check_markup($text, 'filtered_html', '', array()), $expected_filtered_text, 'Expected filter result.');
    $this->assertEqual(check_markup($text, 'filtered_html', '', array(FilterInterface::TYPE_HTML_RESTRICTOR)), $expected_filtered_text, 'Expected filter result, even when trying to disable filters of the FilterInterface::TYPE_HTML_RESTRICTOR type.');
93
  }
94
}