function EntityReferenceXSSTest::testEntityReferenceXSS

Same name and namespace in other branches
  1. 9 core/modules/field/tests/src/Functional/EntityReference/EntityReferenceXSSTest.php \Drupal\Tests\field\Functional\EntityReference\EntityReferenceXSSTest::testEntityReferenceXSS()
  2. 8.9.x core/modules/field/tests/src/Functional/EntityReference/EntityReferenceXSSTest.php \Drupal\Tests\field\Functional\EntityReference\EntityReferenceXSSTest::testEntityReferenceXSS()
  3. 10 core/modules/field/tests/src/Functional/EntityReference/EntityReferenceXSSTest.php \Drupal\Tests\field\Functional\EntityReference\EntityReferenceXSSTest::testEntityReferenceXSS()

Tests markup is escaped in the entity reference select and label formatter.

File

core/modules/field/tests/src/Functional/EntityReference/EntityReferenceXSSTest.php, line 44

Class

EntityReferenceXSSTest
Tests possible XSS security issues in entity references.

Namespace

Drupal\Tests\field\Functional\EntityReference

Code

public function testEntityReferenceXSS() : void {
    $this->drupalCreateContentType([
        'type' => 'article',
    ]);
    // Create a node with markup in the title.
    $node_type_one = $this->drupalCreateContentType();
    $node = [
        'type' => $node_type_one->id(),
        'title' => '<em>I am kitten</em>',
    ];
    $referenced_node = $this->drupalCreateNode($node);
    $node_type_two = $this->drupalCreateContentType([
        'name' => '<em>bundle with markup</em>',
    ]);
    $this->drupalCreateNode([
        'type' => $node_type_two->id(),
        'title' => 'My bundle has markup',
    ]);
    $this->createEntityReferenceField('node', 'article', 'entity_reference_test', 'Entity Reference test', 'node', 'default', [
        'target_bundles' => [
            $node_type_one->id(),
            $node_type_two->id(),
        ],
    ]);
    EntityFormDisplay::load('node.article.default')->setComponent('entity_reference_test', [
        'type' => 'options_select',
    ])
        ->save();
    EntityViewDisplay::load('node.article.default')->setComponent('entity_reference_test', [
        'type' => 'entity_reference_label',
    ])
        ->save();
    // Create a node and reference the node with markup in the title.
    $this->drupalLogin($this->rootUser);
    $this->drupalGet('node/add/article');
    $this->assertSession()
        ->assertEscaped($referenced_node->getTitle());
    $this->assertSession()
        ->assertEscaped($node_type_two->label());
    $edit = [
        'title[0][value]' => $this->randomString(),
        'entity_reference_test' => $referenced_node->id(),
    ];
    $this->submitForm($edit, 'Save');
    $this->assertSession()
        ->assertEscaped($referenced_node->getTitle());
    // Test the options_buttons type.
    EntityFormDisplay::load('node.article.default')->setComponent('entity_reference_test', [
        'type' => 'options_buttons',
    ])
        ->save();
    $this->drupalGet('node/add/article');
    $this->assertSession()
        ->assertEscaped($referenced_node->getTitle());
    // options_buttons does not support optgroups.
    $this->assertSession()
        ->pageTextNotContains('bundle with markup');
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.