function BlockXssTest::doViewTest
Same name in other branches
- 9 core/modules/block/tests/src/Functional/BlockXssTest.php \Drupal\Tests\block\Functional\BlockXssTest::doViewTest()
- 8.9.x core/modules/block/tests/src/Functional/BlockXssTest.php \Drupal\Tests\block\Functional\BlockXssTest::doViewTest()
- 11.x core/modules/block/tests/src/Functional/BlockXssTest.php \Drupal\Tests\block\Functional\BlockXssTest::doViewTest()
Tests XSS coming from View block labels.
1 call to BlockXssTest::doViewTest()
- BlockXssTest::testBlockXss in core/
modules/ block/ tests/ src/ Functional/ BlockXssTest.php - Tests various modules that provide blocks for XSS.
File
-
core/
modules/ block/ tests/ src/ Functional/ BlockXssTest.php, line 104
Class
- BlockXssTest
- Tests that the block module properly escapes block descriptions.
Namespace
Drupal\Tests\block\FunctionalCode
protected function doViewTest() {
// Create a View without a custom label for its block Display. The
// admin_label of the block then becomes just the View's label.
$view = View::create([
'id' => $this->randomMachineName(),
'label' => '<script>alert("view1");</script>',
]);
$view->addDisplay('block');
$view->save();
// Create a View with a custom label for its block Display. The
// admin_label of the block then becomes the View's label combined with
// the Display's label.
$view = View::create([
'id' => $this->randomMachineName(),
'label' => '<script>alert("view2");</script>',
]);
$view->addDisplay('block', 'Fish & chips');
$view->save();
$this->drupalGet(Url::fromRoute('block.admin_display'));
$this->clickLink('Place block');
// \Drupal\views\Plugin\Derivative\ViewsBlock::getDerivativeDefinitions()
// has a different code path for an admin label based only on the View
// label versus one based on both the View label and the Display label.
// Ensure that this test is covering both code paths by asserting the
// absence of a ":" for the first View and the presence of a ":" for the
// second one. Note that the second assertion is redundant with the one
// further down which also checks for the Display label, but is included
// here for clarity.
$this->assertSession()
->assertNoEscaped('<script>alert("view1");</script>:');
$this->assertSession()
->assertEscaped('<script>alert("view2");</script>:');
// Assert that the blocks have their admin labels escaped and
// don't appear anywhere unescaped.
$this->assertSession()
->assertEscaped('<script>alert("view1");</script>');
$this->assertSession()
->responseNotContains('<script>alert("view1");</script>');
$this->assertSession()
->assertEscaped('<script>alert("view2");</script>: Fish & chips');
$this->assertSession()
->responseNotContains('<script>alert("view2");</script>');
$this->assertSession()
->responseNotContains('Fish & chips');
// Assert the Display label doesn't appear anywhere double escaped.
$this->assertSession()
->responseNotContains('Fish & chips');
$this->assertSession()
->responseNotContains('Fish &amp; chips');
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.