NodeTitleXSSTest.php

Definition of Drupal\node\Tests\NodeTitleXSSTest.

Namespace

Drupal\node\Tests

File

drupal/core/modules/node/lib/Drupal/node/Tests/NodeTitleXSSTest.php
View source
<?php

/**
 * @file
 * Definition of Drupal\node\Tests\NodeTitleXSSTest.
 */
namespace Drupal\node\Tests;


/**
 * Tests XSS functionality with a node entity.
 */
class NodeTitleXSSTest extends NodeTestBase {
  public static function getInfo() {
    return array(
      'name' => 'Node title XSS filtering',
      'description' => 'Create a node with dangerous tags in its title and test that they are escaped.',
      'group' => 'Node',
    );
  }

  /**
   * Tests XSS functionality with a node entity.
   */
  function testNodeTitleXSS() {

    // Prepare a user to do the stuff.
    $web_user = $this
      ->drupalCreateUser(array(
      'create page content',
      'edit any page content',
    ));
    $this
      ->drupalLogin($web_user);
    $xss = '<script>alert("xss")</script>';
    $title = $xss . $this
      ->randomName();
    $edit = array(
      "title" => $title,
    );
    $this
      ->drupalPost('node/add/page', $edit, t('Preview'));
    $this
      ->assertNoRaw($xss, 'Harmful tags are escaped when previewing a node.');
    $settings = array(
      'title' => $title,
    );
    $node = $this
      ->drupalCreateNode($settings);
    $this
      ->drupalGet('node/' . $node->nid);

    // assertTitle() decodes HTML-entities inside the <title> element.
    $this
      ->assertTitle($edit["title"] . ' | Drupal', 'Title is diplayed when viewing a node.');
    $this
      ->assertNoRaw($xss, 'Harmful tags are escaped when viewing a node.');
    $this
      ->drupalGet('node/' . $node->nid . '/edit');
    $this
      ->assertNoRaw($xss, 'Harmful tags are escaped when editing a node.');
  }

}

Classes

Namesort descending Description
NodeTitleXSSTest Tests XSS functionality with a node entity.