function BlockXssTest::testXssInTitle

Same name in other branches
  1. 9 core/modules/block/tests/src/Functional/BlockXssTest.php \Drupal\Tests\block\Functional\BlockXssTest::testXssInTitle()
  2. 8.9.x core/modules/block/tests/src/Functional/BlockXssTest.php \Drupal\Tests\block\Functional\BlockXssTest::testXssInTitle()
  3. 11.x core/modules/block/tests/src/Functional/BlockXssTest.php \Drupal\Tests\block\Functional\BlockXssTest::testXssInTitle()

Tests XSS in title.

File

core/modules/block/tests/src/Functional/BlockXssTest.php, line 47

Class

BlockXssTest
Tests that the block module properly escapes block descriptions.

Namespace

Drupal\Tests\block\Functional

Code

public function testXssInTitle() : void {
    $this->container
        ->get('module_installer')
        ->install([
        'block_test',
    ]);
    $this->drupalPlaceBlock('test_xss_title', [
        'label' => '<script>alert("XSS label");</script>',
    ]);
    \Drupal::state()->set('block_test.content', $this->randomMachineName());
    $this->drupalGet('');
    // Check that the block title was properly sanitized when rendered.
    $this->assertSession()
        ->responseNotContains('<script>alert("XSS label");</script>');
    $this->drupalLogin($this->drupalCreateUser([
        'administer blocks',
        'access administration pages',
    ]));
    $default_theme = $this->config('system.theme')
        ->get('default');
    $this->drupalGet('admin/structure/block/list/' . $default_theme);
    // Check that the block title was properly sanitized in Block Plugin UI
    // Admin page.
    $this->assertSession()
        ->responseNotContains("<script>alert('XSS subject');</script>");
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.