class NodeTitleXSSTest
Same name and namespace in other branches
- 11.x core/modules/node/tests/src/Functional/NodeTitleXSSTest.php \Drupal\Tests\node\Functional\NodeTitleXSSTest
- 10 core/modules/node/tests/src/Functional/NodeTitleXSSTest.php \Drupal\Tests\node\Functional\NodeTitleXSSTest
- 8.9.x core/modules/node/tests/src/Functional/NodeTitleXSSTest.php \Drupal\Tests\node\Functional\NodeTitleXSSTest
Tests that dangerous tags in the node title are escaped.
@group node
Hierarchy
- class \Drupal\Tests\BrowserTestBase uses \Drupal\Core\Test\FunctionalTestSetupTrait, \Drupal\Tests\UiHelperTrait, \Drupal\Core\Test\TestSetupTrait, \Drupal\Tests\block\Traits\BlockCreationTrait, \Drupal\FunctionalTests\AssertLegacyTrait, \Drupal\Tests\RandomGeneratorTrait, \Drupal\Tests\node\Traits\NodeCreationTrait, \Drupal\Tests\node\Traits\ContentTypeCreationTrait, \Drupal\Tests\ConfigTestTrait, \Drupal\Tests\TestRequirementsTrait, \Drupal\Tests\user\Traits\UserCreationTrait, \Drupal\Tests\XdebugRequestTrait, \Drupal\Tests\Traits\PhpUnitWarnings, \Drupal\Tests\PhpUnitCompatibilityTrait, \Symfony\Bridge\PhpUnit\ExpectDeprecationTrait, \Drupal\Tests\ExtensionListTestTrait extends \PHPUnit\Framework\TestCase
- class \Drupal\Tests\node\Functional\NodeTestBase extends \Drupal\Tests\BrowserTestBase
- class \Drupal\Tests\node\Functional\NodeTitleXSSTest extends \Drupal\Tests\node\Functional\NodeTestBase
- class \Drupal\Tests\node\Functional\NodeTestBase extends \Drupal\Tests\BrowserTestBase
Expanded class hierarchy of NodeTitleXSSTest
File
-
core/
modules/ node/ tests/ src/ Functional/ NodeTitleXSSTest.php, line 12
Namespace
Drupal\Tests\node\FunctionalView source
class NodeTitleXSSTest extends NodeTestBase {
/**
* {@inheritdoc}
*/
protected $defaultTheme = 'stark';
/**
* Tests XSS functionality with a node entity.
*/
public function testNodeTitleXSS() {
// Prepare a user to do the stuff.
$web_user = $this->drupalCreateUser([
'create page content',
'edit any page content',
]);
$this->drupalLogin($web_user);
$xss = '<script>alert("xss")</script>';
$title = $xss . $this->randomMachineName();
$edit = [];
$edit['title[0][value]'] = $title;
$this->drupalGet('node/add/page');
$this->submitForm($edit, 'Preview');
// Verify that harmful tags are escaped when previewing a node.
$this->assertSession()
->responseNotContains($xss);
$settings = [
'title' => $title,
];
$node = $this->drupalCreateNode($settings);
$this->drupalGet('node/' . $node->id());
// Titles should be escaped.
$this->assertSession()
->responseContains('<title>' . Html::escape($title) . ' | Drupal</title>');
$this->assertSession()
->responseNotContains($xss);
$this->drupalGet('node/' . $node->id() . '/edit');
$this->assertSession()
->responseNotContains($xss);
}
}Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.