function EntityReferenceXSSTest::testEntityReferenceXSS

Same name and namespace in other branches
  1. 9 core/modules/field/tests/src/Functional/EntityReference/EntityReferenceXSSTest.php \Drupal\Tests\field\Functional\EntityReference\EntityReferenceXSSTest::testEntityReferenceXSS()
  2. 8.9.x core/modules/field/tests/src/Functional/EntityReference/EntityReferenceXSSTest.php \Drupal\Tests\field\Functional\EntityReference\EntityReferenceXSSTest::testEntityReferenceXSS()
  3. 11.x core/modules/field/tests/src/Functional/EntityReference/EntityReferenceXSSTest.php \Drupal\Tests\field\Functional\EntityReference\EntityReferenceXSSTest::testEntityReferenceXSS()

Tests markup is escaped in the entity reference select and label formatter.

File

core/modules/field/tests/src/Functional/EntityReference/EntityReferenceXSSTest.php, line 34

Class

EntityReferenceXSSTest
Tests possible XSS security issues in entity references.

Namespace

Drupal\Tests\field\Functional\EntityReference

Code

public function testEntityReferenceXSS() : void {
  $this->drupalCreateContentType([
    'type' => 'article',
  ]);
  // Create a node with markup in the title.
  $node_type_one = $this->drupalCreateContentType();
  $node = [
    'type' => $node_type_one->id(),
    'title' => '<em>I am kitten</em>',
  ];
  $referenced_node = $this->drupalCreateNode($node);
  $node_type_two = $this->drupalCreateContentType([
    'name' => '<em>bundle with markup</em>',
  ]);
  $this->drupalCreateNode([
    'type' => $node_type_two->id(),
    'title' => 'My bundle has markup',
  ]);
  $this->createEntityReferenceField('node', 'article', 'entity_reference_test', 'Entity Reference test', 'node', 'default', [
    'target_bundles' => [
      $node_type_one->id(),
      $node_type_two->id(),
    ],
  ]);
  EntityFormDisplay::load('node.article.default')->setComponent('entity_reference_test', [
    'type' => 'options_select',
  ])
    ->save();
  EntityViewDisplay::load('node.article.default')->setComponent('entity_reference_test', [
    'type' => 'entity_reference_label',
  ])
    ->save();
  // Create a node and reference the node with markup in the title.
  $this->drupalLogin($this->drupalCreateUser([
    'create article content',
  ]));
  $this->drupalGet('node/add/article');
  $this->assertSession()
    ->assertEscaped($referenced_node->getTitle());
  $this->assertSession()
    ->assertEscaped($node_type_two->label());
  $edit = [
    'title[0][value]' => $this->randomString(),
    'entity_reference_test' => $referenced_node->id(),
  ];
  $this->submitForm($edit, 'Save');
  $this->assertSession()
    ->assertEscaped($referenced_node->getTitle());
  // Test the options_buttons type.
  EntityFormDisplay::load('node.article.default')->setComponent('entity_reference_test', [
    'type' => 'options_buttons',
  ])
    ->save();
  $this->drupalGet('node/add/article');
  $this->assertSession()
    ->assertEscaped($referenced_node->getTitle());
  // options_buttons does not support optgroups.
  $this->assertSession()
    ->pageTextNotContains('bundle with markup');
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.