function BlockXssTest::testXssInTitle

Same name and namespace in other branches
  1. 9 core/modules/block/tests/src/Functional/BlockXssTest.php \Drupal\Tests\block\Functional\BlockXssTest::testXssInTitle()
  2. 8.9.x core/modules/block/tests/src/Functional/BlockXssTest.php \Drupal\Tests\block\Functional\BlockXssTest::testXssInTitle()
  3. 11.x core/modules/block/tests/src/Functional/BlockXssTest.php \Drupal\Tests\block\Functional\BlockXssTest::testXssInTitle()

Tests XSS in title.

File

core/modules/block/tests/src/Functional/BlockXssTest.php, line 47

Class

BlockXssTest
Tests that the block module properly escapes block descriptions.

Namespace

Drupal\Tests\block\Functional

Code

public function testXssInTitle() : void {
  $this->container
    ->get('module_installer')
    ->install([
    'block_test',
  ]);
  $this->drupalPlaceBlock('test_xss_title', [
    'label' => '<script>alert("XSS label");</script>',
  ]);
  \Drupal::keyValue('block_test')->set('content', $this->randomMachineName());
  $this->drupalGet('');
  // Check that the block title was properly sanitized when rendered.
  $this->assertSession()
    ->responseNotContains('<script>alert("XSS label");</script>');
  $this->drupalLogin($this->drupalCreateUser([
    'administer blocks',
    'access administration pages',
  ]));
  $default_theme = $this->config('system.theme')
    ->get('default');
  $this->drupalGet('admin/structure/block/list/' . $default_theme);
  // Check that the block title was properly sanitized in Block Plugin UI
  // Admin page.
  $this->assertSession()
    ->responseNotContains("<script>alert('XSS subject');</script>");
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.